Description:

API (Application Programming Interface) is a software intermediary that allows two applications to talk to each other.

AWS API Gateway is a service provided by Amazon that is used to create, publish, maintain, and secure various APIs such as REST, HTTP, and WebSocket at any scale.

You can enable API caching in Amazon API Gateway to cache your endpoint's responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API. When you enable caching for a stage, API Gateway caches responses from your endpoint for a specified time-to-live (TTL) period, in seconds. API Gateway then responds to the request by looking up the endpoint response from the cache instead of requesting your endpoint. The maximum size of a response that can be cached is 1048576 bytes.

 

Rational:

Cache data encryption may increase the size of the response when it is being cached. If you choose to enable caching for a REST API, you can enable cache encryption. The APIs created with Amazon API Gateway expose HTTPS endpoints only. API Gateway doesn't support unencrypted (HTTP) endpoints. For greater security, you can choose a minimum Transport Layer Security (TLS) protocol version to be enforced for your API Gateway custom domain. You can choose either a TLS version 1.2 or TLS version 1.0 security policy. WebSocket APIs and HTTP APIs support only TLS 1.2.


Impact: 

API Gateway enables caching by creating a dedicated cache instance. This process can take up to 4 minutes. API Gateway changes caching capacity by removing the existing cache instance and creating a new one with a modified capacity. All existing cached data is deleted.


Default Value: 

By default, API Cache is not enabled.


Pre-requisites:

  • Sign in as an admin or IAM user with the required permissions

  • Before the follow the implementation steps you must have an API gateway that is deployed.


Remediation:


Test Plan:

  • Login to AWS Management Console 

  • Go to the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/

  • Choose API to examine

  • Click on the Stages in the left navigation pane

  • Click on the stage that you have 
  • Under the Settings section, you can see the Cache Settings in this API cache either enable or disable

Using AWS CLI Command:

To examine the stages

aws apigateway get-stages
  --region us-east-1
  --rest-api-id <api_id>
  --output table
  --query 'item[*].stageName'


Implementation Steps:

  • Login to AWS Management Console 

  • Go to the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/

  • Choose the API you want to enable the cache

  • In the navigation panel, in the API submenu, click Stages to list the stages created for the selected API.

  • In the Settings tab, check Enable API cache checkBox to enable cache for API and also make sure that cache data is encrypted by checking Encrypt cache data checkBox

    Enter the TTL value as your requirement. . The default TTL value for API caching is 300 seconds. The maximum TTL value is 3600 seconds. TTL=0 means caching is disabled.

  • Click on the Save Changes button 


Using AWS CLI Command:

To enable API cache  

aws apigateway update-stage
  --region us-east-1
  --rest-api-id aaabbbbccc
  --stage-name 'Production'
  --patch-operations op=replace,path=/'*/*'/caching/dataEncrypted,value=true

 

Backout plan:

  • Login to AWS Management Console 

  • Go to the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/

  • Choose API 

  • In the navigation panel, in the API submenu, click Stages to list the stages created for the selected API. 

  • In the Settings tab click on uncheck the box to disable API cache in the cache settings

  • Click on the Save Changes button 


Using AWS CLI Command:

To disable the API cache

aws apigateway flush-stage-cache
--rest-api-id <value>
--stage-name <value>>


Note :

The cache capacity affects the CPU, memory, and network bandwidth of the cache instance. As a result, the cache capacity can affect the performance of your cache. API Gateway recommends that you run a 10-minute load test to verify that your cache capacity is appropriate for your workload. Ensure that traffic during the load test mirrors production traffic. For example, including ramp-up, constant traffic, and traffic spikes. The load test should include responses that can be served from the cache, as well as unique responses that add items to the cache. Monitor the latency, 4xx, 5xx, cache hit, and cache miss metrics during the load test. Adjust your cache capacity as needed based on these metrics.

 

Reference: