API Gateway X-Ray disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > API Gateway X-Ray disabled

Metadata

Id: 5813ef56-fa94-406a-b35d-977d4a56ff2b

Cloud Provider: aws

Framework: Terraform

Severity: Low

Category: Observability

Learn More

Provider Reference

Description

Enabling X-Ray tracing in AWS API Gateway stages provides detailed observability by capturing request traces, which are essential for monitoring, debugging, and identifying performance bottlenecks or errors in distributed applications. When the Terraform configuration for an API Gateway stage omits the attribute xray_tracing_enabled, or explicitly sets xray_tracing_enabled = false, as shown below, tracing is disabled:

resource "aws_api_gateway_stage" "example" {
  stage_name    = "prod"
  rest_api_id   = aws_api_gateway_rest_api.test.id
  deployment_id = aws_api_gateway_deployment.test.id
  xray_tracing_enabled = false
}

Without X-Ray tracing, issues such as increased latency or failed requests may go undetected and unresolved, limiting visibility into the lifecycle of requests as they traverse backend integrations and microservices. Leaving tracing disabled increases operational risks and reduces the ability to promptly identify and remediate failures or security incidents, ultimately impacting the reliability and security of the API service.

Compliant Code Examples

resource "aws_api_gateway_stage" "negative1" {
  stage_name    = "prod"
  rest_api_id   = aws_api_gateway_rest_api.test.id
  deployment_id = aws_api_gateway_deployment.test.id
  xray_tracing_enabled = true
}

Non-Compliant Code Examples

resource "aws_api_gateway_stage" "positive1" {
  stage_name    = "prod"
  rest_api_id   = aws_api_gateway_rest_api.test.id
  deployment_id = aws_api_gateway_deployment.test.id
  xray_tracing_enabled = false
}

resource "aws_api_gateway_stage" "positive2" {
  stage_name    = "prod"
  rest_api_id   = aws_api_gateway_rest_api.test.id
  deployment_id = aws_api_gateway_deployment.test.id
}