Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable API Cache

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AG-010

Ensure that response caching is enabled for your Amazon API Gateway REST APIs in order to enhance API responsiveness and decrease latency.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency
Sustainability

You can reduce the number of calls made to your API endpoint and also improve the latency of requests to your API with response caching. When you enable caching for an API stage, Amazon API Gateway service caches responses from your endpoint for a specified time-to-live (TTL) period, in seconds. API Gateway responds to the request by looking up the endpoint response from the cache instead of making a new request to your API endpoint and therefore serving the API request very fast.

Note: The default time-to-live (TTL) value for API caching is 300 seconds. The maximum TTL value is 3600 seconds. TTL = 0 means caching is disabled. The maximum size of a response that can be cached is 1048576 bytes.


Audit

To determine if your API Gateway API stages have response caching enabled, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to access the APIs listing page.

04 Choose the REST API that you want to examine, then click on its name (link) to access the API configuration. To identify a REST API check the value available in the Protocol column for each listed API.

05 In the navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, choose the REST API stage that you want to examine.

07 Select the Settings tab from the console top panel to access the stage settings.

08 On the Settings panel, within Cache Settings section, check the Enable API cache setting status. If the Enable API cache setting checkbox is not checked, the selected Amazon API Gateway API stage does not have response caching enabled.

09 Repeat steps no. 6 – 8 to determine the API cache setting status for other stages created for the selected API.

10 Repeat steps no. 4 – 9 to verify other REST APIs available within the current AWS cloud region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the REST APIs available in the selected AWS region:

aws apigateway get-rest-apis
  --region us-east-1
  --output table
  --query 'items[*].id'

02 The command output should return a table with the requested API identifiers (IDs):

----------------
|  GetRestApis |
+--------------+
|  abcdabcdab  |
|  aabbccddee  |
|  aaabbbbccc  |
+--------------+ 

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the REST API that you want to examine as identifier and custom query filters to get the name(s) of the API stage(s) created for the selected API:

aws apigateway get-stages
  --region us-east-1
  --rest-api-id abcdabcdab
  --output table
  --query 'item[*].stageName'

04 The command output should return a table with the API stage name(s):

----------------
|   GetStages  |
+--------------+
|  Production  |
|  Staging     |
|  Development |
+--------------+

05 Execute get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as identifier parameter and custom query filters to obtain the API caching configuration status available for the selected API stage:

aws apigateway get-stages
  --region us-east-1
  --rest-api-id abcdabcdab
  --query 'item[?(stageName==`Production`)].cacheClusterEnabled | []'

06 The command output should return the requested configuration information:

[
	false
]

If get-stages command output returns false, as shown in the example above, the API response caching is not enabled for the selected Amazon API Gateway API stage.

07 Repeat step no. 5 and 6 to determine the API cache setting status for other stages created for the selected API.

08 Repeat steps no. 3 – 7 to check other REST APIs available in the selected AWS cloud region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To enable response caching for your existing Amazon API Gateway REST APIs, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable API Cache",
	"Resources": {
		"RestAPI": {
			"Type": "AWS::ApiGateway::RestApi",
			"Properties": {
				"Name": "WebServiceRestAPI",
				"Description": "A simple API Gateway REST API"
			}
		},
		"StageDeployment": {
			"Type": "AWS::ApiGateway::Deployment",
			"Properties": {
				"RestApiId": {
					"Ref": "RestAPI"
				}
			}
		},
		"APIStage": {
			"Type": "AWS::ApiGateway::Stage",
			"Properties": {
				"DeploymentId": {
					"Ref": "StageDeployment"
				},
				"RestApiId": {
					"Ref": "RestAPI"
				},
				"StageName": "Production",
				"TracingEnabled": true,
				"MethodSettings": [
					{
						"ResourcePath": "/*",
						"HttpMethod": "*",
						"CachingEnabled": true,
						"CacheTtlInSeconds": 3600
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable API Cache
	Resources:
	RestAPI:
		Type: AWS::ApiGateway::RestApi
		Properties:
		Name: WebServiceRestAPI
		Description: A simple API Gateway REST API
	StageDeployment:
		Type: AWS::ApiGateway::Deployment
		Properties:
		RestApiId: !Ref 'RestAPI'
	APIStage:
		Type: AWS::ApiGateway::Stage
		Properties:
		DeploymentId: !Ref 'StageDeployment'
		RestApiId: !Ref 'RestAPI'
		StageName: Production
		TracingEnabled: true
		MethodSettings:
			- ResourcePath: /*
			HttpMethod: '*'
			CachingEnabled: true
			CacheTtlInSeconds: 3600

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_api_gateway_rest_api" "rest-api" {
	name = "web-service-rest-api"
	description = "A simple API Gateway REST API"
}

resource "aws_api_gateway_deployment" "rest-api-deployment" {
	rest_api_id = aws_api_gateway_rest_api.rest-api.id
}

resource "aws_api_gateway_stage" "api-stage" {
	deployment_id        = aws_api_gateway_deployment.rest-api-deployment.id
	rest_api_id          = aws_api_gateway_rest_api.rest-api.id
	stage_name           = "Production"
	xray_tracing_enabled = true
}

resource "aws_api_gateway_method_settings" "api-gateway-method-settings" {
	rest_api_id = aws_api_gateway_rest_api.rest-api.id
	stage_name  = aws_api_gateway_stage.api-stage.stage_name
	method_path = "*/*"
	settings {
		caching_enabled      = true
		cache_ttl_in_seconds = 3600
	}
}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs.

04 Choose the REST API that you want to reconfigure, then click on its name (link) to access the API configuration settings.

05 In the navigation panel, in the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, choose the API stage that you want to reconfigure (see Audit section part I to identify the right stage).

07 Select the Settings tab from the console top panel to access the stage settings.

08 On the Settings panel, in the Cache Settings section, perform the following actions:

  1. Select Enable API cache setting checkbox to enable response caching for the selected Amazon API Gateway API stage.
  2. For Cache capacity, specify the size of the cache for the selected API stage.
  3. For Encrypt cache data, choose whether to encrypt the API stage cached responses.
  4. For Cache time-to-live (TTL), configure the time to live (TTL), in seconds, for the cached responses. The higher the TTL, the longer the API response will be cached. The value must be an integer no greater than 3600.
  5. For Require authorization, specify whether authorization is required for a cache invalidation request. If you enable this feature, you must also specify how to handle unauthorized requests for cache invalidation by selecting the appropriate option from the Handle unauthorized requests dropdown list.
  6. Choose Save Changes to apply the new configuration changes. Enabling response caching takes about 5 minutes for Amazon API Gateway to complete.

09 Repeat steps no. 6 – 8 to enable and configure response caching for other stages created for the selected REST API.

10 Repeat steps no. 4 – 9 to reconfigure other Amazon API Gateway APIs available within the current AWS region.

11 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as identifier parameter (see Audit section part II to identify the right API stage) to enable response caching for the selected Amazon API Gateway API stage. The following command example enables caching for an API stage named "Production", created for an API identified by the ID "abcdabcdab":

aws apigateway update-stage
  --region us-east-1
  --rest-api-id abcdabcdab
  --stage-name 'Production'
  --patch-operations op=replace,path=/*/*/caching/enabled,value=true

02 The command output should return the metadata available for the reconfigured API stage:

{
	"tracingEnabled": true,
	"stageName": "Production",
	"cacheClusterSize": "0.5",
	"cacheClusterEnabled": true,
	"cacheClusterStatus": "CREATE_IN_PROGRESS",
	"deploymentId": "abcabc",
	"lastUpdatedDate": 1608581788,
	"createdDate": 1608581966,
	"methodSettings": {
		"*/*": {
			"throttlingRateLimit": 10000.0,
			"dataTraceEnabled": true,
			"metricsEnabled": false,
			"unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
			"cacheTtlInSeconds": 3600,
			"cacheDataEncrypted": false,
			"cachingEnabled": true,
			"throttlingBurstLimit": 5000,
			"requireAuthorizationForCacheControl": true
		}
	}
}

03 Repeat step no. 1 and 2 to enable response caching for other API stages created for the selected REST API.

04 Repeat steps no. 1 – 3 to reconfigure other Amazon API Gateway APIs available in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Dec 30, 2020