API Gateway X-Ray disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > API Gateway X-Ray disabled

Metadata

Id: 2059155b-27fd-441e-b616-6966c468561f

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Observability

Learn More

Provider Reference

Description

API Gateway resources should have AWS X-Ray tracing enabled to provide end-to-end request visibility and support detection of anomalous or malicious activity. For Ansible tasks that use the community.aws.api_gateway or api_gateway modules, set the tracing_enabled property to true. Tasks missing tracing_enabled or with tracing_enabled: false are flagged because they disable observability needed for effective incident response and root-cause analysis.

Secure Ansible task example:

- name: Configure API Gateway with X-Ray tracing
  community.aws.api_gateway:
    name: my-api
    tracing_enabled: true

Compliant Code Examples

- name: Setup AWS API Gateway setup on AWS and deploy API definition
  community.aws.api_gateway:
    swagger_file: my_api.yml
    stage: production
    cache_enabled: true
    cache_size: '1.6'
    tracing_enabled: true
    endpoint_type: EDGE
    state: present

Non-Compliant Code Examples

---
- name: Setup AWS API Gateway setup on AWS and deploy API definition
  community.aws.api_gateway:
    swagger_file: my_api.yml
    stage: production
    cache_enabled: true
    cache_size: '1.6'
    tracing_enabled: false
    endpoint_type: EDGE
    state: present
- name: Update API definition to deploy new version
  community.aws.api_gateway:
    api_id: 'abc123321cba'
    swagger_file: my_api.yml
    deploy_desc: Make auth fix available.
    cache_enabled: true
    cache_size: '1.6'
    endpoint_type: EDGE
    state: present