Profile Applicability:

  • Level 1

Description:

AWS X-Ray is a service that helps you analyze and debug production applications, particularly those built using a microservices architecture. By enabling X-Ray tracing in API Gateway, you can gain deep insights into the performance of your API calls, including bottlenecks, latencies, and failures. This SOP ensures that AWS X-Ray tracing is enabled for all API Gateway REST API stages to allow for comprehensive monitoring and troubleshooting of API requests and responses.

Rationale:

Enabling X-Ray tracing for API Gateway helps in:

  • Monitoring API performance: Allows you to trace each API request, monitor latencies, and identify bottlenecks or slow functions.

  • Troubleshooting: Helps identify and debug issues in production APIs by providing detailed request and response traces, which aids in quick resolution of errors.

  • Compliance and Security: Provides audit trails of API calls, which is important for compliance in environments with stringent monitoring requirements.

Impact:

Pros:

  • Improved Observability: X-Ray provides detailed visibility into the request flow and performance metrics, making it easier to identify performance bottlenecks and errors.

  • Faster Debugging: With request and response tracing, identifying the root cause of issues is quicker, allowing for faster resolution

  • Comprehensive Metrics: Helps in proactive monitoring of API Gateway, ensuring high availability and efficient resource utilization.

Cons:

  • Slight Overhead: Enabling tracing may incur minimal performance overhead as each request and response is processed and logged for analysis.

  • Costs: AWS X-Ray charges based on the number of traces recorded, so enabling tracing for high volumes of API calls may incur additional costs.

Default Value:

By default, X-Ray tracing is disabled for API Gateway stages. It must be explicitly enabled to start capturing trace data for requests passing through the API Gateway.

Pre-requisites:

  • AWS IAM Permissions:

    • apigateway:GET

    • apigateway:PUT

    • xray:PutTelemetryRecords

  • AWS CLI or AWS Console access to configure API Gateway settings.

  • AWS X-Ray should be set up and available in the region you are working in.

Remediation:

Test plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to API Gateway under Services.

  3. In the API Gateway Console, select the REST API whose stage you want to check.

  4. In the left-hand menu, select Stages.

  5. Choose the stage you want to verify.

  6. Under the Stage Editor, scroll down to the Logging and Tracing section.

  7. Ensure that the Enable X-Ray Tracing option is checked.

    • If unchecked, enable it by selecting Enable X-Ray Tracing and save changes.

Using AWS CLI:

To list the stages in your API Gateway, run:

aws apigateway get-stages --rest-api-id <api-id>

To check if X-Ray tracing is enabled for a specific stage, run:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'stageDescription.tracingEnabled'

  • If the result is true, X-Ray tracing is enabled.

  • If false, tracing is disabled.

To enable X-Ray tracing for a specific stage, run:

aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/tracingEnabled,value=true

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to API Gateway.

  2. In the API Gateway Console, select your REST API.

  3. Select the Stage under Stages.

  4. In the Stage Editor, locate the Logging and Tracing section.

  5. Enable X-Ray tracing by checking the box next to Enable X-Ray Tracing.

  6. Save the changes and confirm that the tracing is now enabled.

Using AWS CLI:

Use the following command to enable X-Ray tracing for an API Gateway stage:

aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/tracingEnabled,value=true

After enabling, confirm the configuration by running:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'stageDescription.tracingEnabled'

Backout Plan:

Using AWS Console:

  1. If enabling X-Ray tracing causes any issues (e.g., performance degradation, unintended data exposure):

    • Navigate back to the Stage Editor.

    • Uncheck the Enable X-Ray Tracing option.

    • Save changes.

Using AWS CLI:

If enabling X-Ray tracing causes issues, you can disable it using:

aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/tracingEnabled,value=false

Confirm that X-Ray tracing has been disabled:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'stageDescription.tracingEnabled'

Note :

  • Monitoring: After enabling X-Ray tracing, you can monitor the trace data in AWS X-Ray to see the detailed traces of API calls. You can identify bottlenecks or errors in the flow of requests through your API.

  • Costs: Be mindful of the cost implications of using X-Ray for high-volume APIs, as the tracing incurs charges based on the number of traces recorded and processed.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

6.1

Ensure appropriate authentication and authorization controls are implemented for API endpoints.

v8

6.4

Implement security controls to protect sensitive applications and data from unauthorized access.

v8

14.3

Enforce security and authentication for API gateways to limit access to valid requests.