Skip to main content

πŸ›‘οΈ AWS API Gateway REST API Stage X-Ray Tracing is not enabled🟒

  • Contextual name: πŸ›‘οΈ REST API Stage X-Ray Tracing is not enabled🟒
  • ID: /ce/ca/aws/apigateway/rest-api-stage-x-ray-tracing
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: PERFORMANCE

Logic​

Similar Policies​

  • Internal: dec-x-82388e10

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-82388e101

Description​

Open File

Description​

Enable X-Ray active tracing for API Gateway REST API stages to capture real-time metrics and trace the flow of user requests. This ensures enhanced monitoring and performance optimization across connected API Gateway and backend services.

Rationale​

Enabling X-Ray Active tracing provides detailed visibility into API request performance, allowing rapid identification and resolution of bottlenecks or anomalies in the underlying infrastructure. With real-time metrics, teams can respond proactively to issues, reducing downtime risks and improving system performance. This traceability is especially critical for applications with complex dependencies and distributed architectures.

Impact​

Enabling X-Ray Active tracing incurs costs associated with trace data processing and storage.

Audit​

This policy marks an API Gateway Stage as INCOMPLIANT if the X-Ray Tracing Enabled field is set to No.

Remediation​

Open File

Remediation​

From Command Line​

Enable X-Ray tracing​

Use the following command to update the Stage settings and enable X-Ray tracing:

aws apigateway update-stage \
--rest-api-id {{rest-api-id}} \
--stage-name {{stage-name}} \
--patch-operations op=replace,path=/tracingEnabled,value=true
Test API calls​

Perform a few API calls and verify that traces appear in the AWS X-Ray console. Ensure that the traces show accurate request flows and performance metrics.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36i service level management mechanisms β€” to monitor, manage and align information security with business objectives;22no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Performance Tuning4no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)265no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)213no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4851no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)113no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)213no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities35no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources50no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-02: The physical environment is monitored to find potentially adverse events13no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events85no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events35no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties40no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities41no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded31no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked31no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring613no data