Serverless API X-Ray tracing disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Serverless API X-Ray tracing disabled

Metadata

Id: c757c6a3-ac87-4b9d-b28d-e5a5add6a315

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

Serverless APIs should have AWS X-Ray tracing enabled to capture distributed traces for requests, which helps diagnose performance issues and investigate security incidents or anomalous application behavior. The TracingEnabled property on AWS::Serverless::Api resources must be defined and set to true. Resources with TracingEnabled missing, null, or set to false will be flagged.

Secure configuration example:

MyServerlessApi:
  Type: AWS::Serverless::Api
  Properties:
    Name: MyApi
    StageName: prod
    TracingEnabled: true

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi3:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi2:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: false

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod