Cloudwatch Metrics Must Be Enabled For All APIs

More Info:

Detailed CloudWatch metrics should be enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.

Risk Level

Low

Address

Operational Maturity

Compliance Standards

HIPAA, SOC2, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Cause
Remediation

Check Cause

Using Console

Log in to the AWS Management Console and navigate to the API Gateway service.
In the API Gateway dashboard, select the APIs section on the left-hand side.
In the APIs list, select the API you want to check. This will open the API’s settings.
In the API settings, navigate to the Stages section. Here, you can see if CloudWatch metrics are enabled for each stage of the API. If the CloudWatch metrics are not enabled, it indicates a misconfiguration.

Using CLI

Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands: Installation:
```
pip install awscli
```
Configuration:
```
aws configure
```
You will be prompted to enter your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
List all APIs: Use the following command to list all the APIs in API Gateway:
```
aws apigateway get-rest-apis
```
This command will return a list of all the APIs in your AWS account.
Check Cloudwatch Metrics for each API: For each API in the list, you need to check if Cloudwatch Metrics are enabled. You can do this by running the following command for each API:
```
aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name>
```
Replace <api-id> with the ID of the API and <stage-name> with the name of the stage you want to check. This command will return the details of the specified stage.
Verify Cloudwatch Metrics: In the output of the previous command, look for the metricsEnabled field. If its value is true, then Cloudwatch Metrics are enabled for that API. If its value is false or if the metricsEnabled field is not present, then Cloudwatch Metrics are not enabled for that API.

Using Python

Setup AWS SDK (Boto3): First, you need to set up AWS SDK (Boto3) in your Python environment. You can install it using pip:
```
pip install boto3
```
After installing boto3, configure your AWS credentials either by setting up environment variables or by using the AWS CLI.

List all APIs in API Gateway: Use the get_rest_apis function from the apigateway client in boto3 to get a list of all APIs in API Gateway. Here is a sample script:

import boto3

def list_apis():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()
    return response['items']

apis = list_apis()
for api in apis:
    print(api['name'])

This script will print the names of all APIs in API Gateway.

Check CloudWatch Metrics for each API: For each API, check if CloudWatch metrics are enabled. You can do this by checking the metricsEnabled attribute of the methodSettings for each method of each resource of the API. Here is a sample script:

import boto3

def check_metrics(api):
    client = boto3.client('apigateway')
    resources = client.get_resources(restApiId=api['id'])['items']
    for resource in resources:
        methods = resource.get('resourceMethods', {})
        for method in methods:
            settings = client.get_method_settings(
                restApiId=api['id'],
                resourceId=resource['id'],
                httpMethod=method
            )
            if not settings['methodSettings']['metricsEnabled']:
                print(f"CloudWatch Metrics not enabled for API {api['name']}, resource {resource['path']}, method {method}")

apis = list_apis()
for api in apis:
    check_metrics(api)

This script will print the names of APIs, resources, and methods for which CloudWatch Metrics are not enabled.

Interpret the Results: If the script prints any APIs, resources, and methods, it means that CloudWatch Metrics are not enabled for them. If it doesn’t print anything, it means that CloudWatch Metrics are enabled for all APIs in API Gateway.

Remediation

Using Console

To remediate the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” for AWS using AWS console, follow the below steps:

Open the AWS Management Console and go to the Amazon API Gateway service.
Select the API for which you want to enable CloudWatch metrics.
Click on the “Stages” option from the left-hand side menu.
Select the stage for which you want to enable CloudWatch metrics.
Click on the “Logs/Tracing” tab.
Under the “CloudWatch Settings” section, check the box next to “Enable CloudWatch Logs” and “Enable CloudWatch Metrics”.
Select the appropriate log format for your API.
Click on the “Save Changes” button.
Repeat the above steps for all the APIs and stages that you want to enable CloudWatch metrics for.

By following these steps, you can remediate the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” for AWS using AWS console.

Using CLI

To remediate the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” in AWS using AWS CLI, follow the below steps:

Open the AWS CLI on your local machine and run the following command to enable CloudWatch metrics for all existing APIs in your AWS account:

aws apigateway update-account --metrics-enabled

To ensure that CloudWatch metrics are enabled for all new APIs created in your account, run the following command:

aws apigateway update-rest-api --rest-api-id <rest-api-id> --patch-operations op=replace,path=/metrics/enabled,value=true

Note: Replace <rest-api-id> with the ID of your REST API.

To verify that CloudWatch metrics are enabled for all APIs, run the following command:

aws apigateway get-account

This command should return a JSON object with the following key-value pair:

"metricsEnabled": true

To verify that CloudWatch metrics are enabled for a specific API, run the following command:

aws apigateway get-rest-api --rest-api-id <rest-api-id>

This command should return a JSON object with the following key-value pair:

"metrics": {
    "enabled": true
}

Note: Replace <rest-api-id> with the ID of your REST API.By following these steps, you will have successfully remediated the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” for AWS using Python, you can follow these steps:

Import the necessary AWS SDK for Python (Boto3) library.

import boto3

Create a Boto3 client for the Amazon API Gateway service.

apigateway = boto3.client('apigateway')

Get a list of all the APIs in your AWS account using the get_rest_apis method.

response = apigateway.get_rest_apis()

Loop through the list of APIs and enable CloudWatch metrics for each one using the update_stage method.

for api in response['items']:
    stages = apigateway.get_stages(restApiId=api['id'])
    for stage in stages['item']:
        apigateway.update_stage(restApiId=api['id'], stageName=stage['stageName'], patchOperations=[{'op': 'replace', 'path': '/metrics/enabled', 'value': 'true'}])

This code snippet will enable CloudWatch metrics for all APIs and stages in your AWS account. You can run this code as a Python script or integrate it into your existing infrastructure-as-code (IaC) pipeline to ensure that CloudWatch metrics are always enabled for your APIs.

Additional Reading:

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-metrics-and-dimensions.html

Documentation Index

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Remediation

​

​Additional Reading: