AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Active Tracing Should Be Enabled For API Gateway Stages
More Info:
Active tracing should be enabled for your Amazon API Gateway API stages to sample incoming requests and send traces to AWS X-Ray. Then X-Ray can provide you an end-to-end view of an entire HTTP request, so you can analyze latencies in your APIs and their backend services.
Risk Level
Low
Address
Operational Maturity, Security
Compliance Standards
CBP
Triage and Remediation
Check Cause
-
Sign in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
-
In the navigation pane, choose ‘APIs’.
-
Select the API you want to check, then in the ‘Stages’ section, select the stage you want to inspect.
-
In the ‘Logs/Tracing’ tab, check the ‘Enable X-Ray Tracing’ box. If it’s not checked, Active Tracing is not enabled for that API Gateway Stage.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
-
Once the AWS CLI is installed and configured, you can list all the APIs in your account by running the following command:
aws apigateway get-rest-apisThis command will return a list of all the APIs in your account.
-
For each API, you can list all the stages by running the following command:
aws apigateway get-stages --rest-api-id <rest-api-id>Replace
<rest-api-id>with the ID of the API you want to check. This command will return a list of all the stages for the specified API. -
For each stage, you can check if active tracing is enabled by looking at the
tracingEnabledfield in the output. If this field is set tofalse, then active tracing is not enabled for that stage.
-
Install the necessary Python libraries: Before you start, make sure you have the necessary Python libraries installed. You will need the boto3 library, which is the Amazon Web Services (AWS) SDK for Python. It allows Python developers to write software that makes use of services like Amazon S3, Amazon EC2, and others. You can install it using pip:
pip install boto3 -
Set up AWS credentials: You need to configure your AWS credentials. You can set your credentials for use by boto3 in several ways, but the simplest is to use the AWS CLI. Run
aws configureand then enter your access key, secret access key, and default region when prompted. -
Write a Python script to check the active tracing status: You can use the
get_stagemethod provided by the boto3 library to retrieve the information about a specific stage for a RestApi resource. ThetracingEnabledattribute in the response indicates whether active tracing is enabled for the API Gateway stage.Here is a sample script:
import boto3 client = boto3.client('apigateway') response = client.get_stage( restApiId='your_rest_api_id', stageName='your_stage_name' ) if 'tracingEnabled' in response: if response['tracingEnabled']: print("Active tracing is enabled for this API Gateway stage.") else: print("Active tracing is not enabled for this API Gateway stage.") else: print("The 'tracingEnabled' attribute is not present in the response.")Replace ‘your_rest_api_id’ and ‘your_stage_name’ with your actual RestApi ID and stage name.
-
Run the script: Save the script to a file, then run it using your Python interpreter. The script will print a message indicating whether active tracing is enabled for the specified API Gateway stage. If the ‘tracingEnabled’ attribute is not present in the response, the script will print a message indicating this.