Skip to main content

πŸ“ AWS API Gateway REST API Stage X-Ray Tracing is not enabled 🟒

  • Contextual name: πŸ“ REST API Stage X-Ray Tracing is not enabled 🟒
  • ID: /ce/ca/aws/apigateway/rest-api-stage-x-ray-tracing
  • Located in: πŸ“ AWS API Gateway

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • PERFORMANCE

Similar Policies​

  • Internal
    • dec-x-82388e10

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-82388e101

Logic​

Description​

Open File

Description​

Enable X-Ray active tracing for API Gateway REST API stages to capture real-time metrics and trace the flow of user requests. This ensures enhanced monitoring and performance optimization across connected API Gateway and backend services.

Rationale​

Enabling X-Ray Active tracing provides detailed visibility into API request performance, allowing rapid identification and resolution of bottlenecks or anomalies in the underlying infrastructure. With real-time metrics, teams can respond proactively to issues, reducing downtime risks and improving system performance. This traceability is especially critical for applications with complex dependencies and distributed architectures.

Impact​

Enabling X-Ray Active tracing incurs costs associated with trace data processing and storage.

Audit​

This policy marks an API Gateway Stage as INCOMPLIANT if the X-Ray Tracing Enabled field is set to No.

Remediation​

Open File

Remediation​

From Command Line​

Enable X-Ray tracing​

Use the following command to update the Stage settings and enable X-Ray tracing:

aws apigateway update-stage \
--rest-api-id {{rest-api-id}} \
--stage-name {{stage-name}} \
--patch-operations op=replace,path=/tracingEnabled,value=true
Test API calls​

Perform a few API calls and verify that traces appear in the AWS X-Ray console. Ensure that the traces show accurate request flows and performance metrics.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36i service level management mechanisms β€” to monitor, manage and align information security with business objectives;22
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Performance Tuning3
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)247
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)28
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4648
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)18
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)28
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-02: The physical environment is monitored to find potentially adverse events8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events27
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked24
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44547
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring68