Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Content Encoding

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AG-004

Ensure that the Content Encoding feature is enabled for your Amazon API Gateway APIs in order to facilitate API payload compression. Once the feature is enabled, the API Gateway service allows compression of response bodies based on client's Accept-Encoding header. API payload compression is triggered when the response body size is greater than or equal to the threshold configured as the minimum compression size (in bytes). You can set this threshold to a non-negative integer between 0 and 10485760 (10M bytes). The compression types supported by Amazon API Gateway service are GZIP, DEFLATE, and IDENTITY.

This rule can help you with the following compliance standards:

  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency

Amazon API Gateway allows your client to call your API with compressed payloads using one of the supported compression types. API Gateway service supports decompression of the request payload, however, you must configure your API to enable compression of the response payload. Enabling content encoding (i.e. compression) for your API payload will help you improve your API performance and reduce bandwidth utilization.


Audit

To determine if content encoding is enabled for your Amazon API Gateway APIs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the main navigation panel, select APIs to access your API Gateway APIs.

04 Click on the name (link) of the API that you want to examine.

05 Choose Settings from the API menu to access the configuration settings available for the selected API.

06 In the Content Encoding section, check the Content Encoding enabled configuration setting. If the Content Encoding enabled setting is disabled (i.e. the setting checkbox is not selected), the Content Encoding feature is not enabled for the selected Amazon API Gateway API, therefore the API payload is not compressed.

07 Repeat steps no. 4 – 6 to check the Content Encoding feature status for each Amazon API Gateway API available within the current AWS region.

08 Change the AWS region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the ID of each API Gateway API available in the selected AWS region:

aws apigateway get-rest-apis
  --region us-east-1
  --output table
  --query 'items[*].id'

02 The command output should return a table with the requested API ID(s):

----------------
|  GetRestApis |
+--------------+
|  aabbccaabb  |
|  abcaabbcca  |
|  abcdabcdab  |
+--------------+

03 Run get-rest-api command (OSX/Linux/UNIX using the ID of the Amazon API Gateway API that you want to examine as the identifier parameter and custom query filters to get the minimumCompressionSize configuration attribute value. The minimumCompressionSize configuration attribute measures the compression threshold and requires a non-negative integer value between 0 and 10485760 (bytes):

aws apigateway get-rest-api
  --region us-east-1
  --rest-api-id aabbccaabb
  --query 'minimumCompressionSize'

04 The command output should return the minimumCompressionSize attribute value, a nullable integer (between 0 and 10485760) that is used to enable compression:

null

If the get-rest-api command output returns null, as shown in the example above, the minimumCompressionSize configuration attribute is not configured (i.e. the compression is disabled), therefore the Content Encoding feature is not enabled for the selected Amazon API Gateway API.

05 Repeat steps no. 3 and 4 to check the Content Encoding feature status for each Amazon API Gateway API available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To enable payload compression for your Amazon API Gateway APIs using the Content Encoding feature, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"Enable Content Encoding (Compression) Feature",
   "Resources":{
      "RestAPI": {
         "Type": "AWS::ApiGateway::RestApi",
         "Properties": {
           "Name": "WebServiceAPI",
           "Description" : "A simple API Gateway REST API",
           "EndpointConfiguration": {
              "Types": ["REGIONAL"]
           },
           "MinimumCompressionSize" : 5000
         }
      }
   }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Content Encoding (Compression) Feature
Resources:
  RestAPI:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: WebServiceAPI
      Description: A simple API Gateway REST API
      EndpointConfiguration:
        Types:
          - REGIONAL
      MinimumCompressionSize: 5000

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_api_gateway_rest_api" "rest-api" {

  name = "web-service-api"
  description = "A simple API Gateway REST API"

  endpoint_configuration {
    types = ["REGIONAL"]
  }

  # Enable Content Encoding (Compression) Feature
  minimum_compression_size = 5000

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the main navigation panel, select APIs to access your API Gateway APIs.

04 Click on the name of the API that you want to reconfigure.

05 Choose Settings from the API menu to access the configuration settings available for the selected API.

06 On the Settings page, in the Content Encoding section, perform the following operations:

  1. Select the Content Encoding enabled setting checkbox to enable API payload compression using the Content Encoding feature.
  2. Set your own value for the minimumCompressionSize attribute within the Minimum body size required for compression box. The minimumCompressionSize configuration attribute measures the compression threshold and requires a non-negative integer value between 0 and 10485760 (bytes). If your API payload size is smaller than this value, compression is not applied. Setting it to zero allows compression for any payload size.
  3. Choose Save Changes to apply the changes and enable API payload compression for the selected Amazon API Gateway API.

07 Repeat steps no. 4 – 6 to enable payload compression for each Amazon API Gateway API available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-rest-api command (OSX/Linux/UNIX) using the ID of the Amazon API Gateway API that you want to reconfigure as the identifier parameter to enable API payload compression for the selected API. The following command request example sets the minimumCompressionSize attribute value to 5Kb. This represents the minimum body size required for payload compression:

aws apigateway update-rest-api
  --region us-east-1
  --rest-api-id aabbccaabb
  --patch-operations op=replace,path=/minimumCompressionSize,value=5000

02 The output should return the update-rest-api command request metadata:

{
    "id": "aabbccaabb",
    "name": "WebAPI",
    "description": "Project5 REST API",
    "createdDate": "2022-01-11T10:55:44+00:00",
    "apiKeySource": "HEADER",
    "endpointConfiguration": {
        "types": [
            "REGIONAL"
        ]
    },
    "tags": {},
    "minimumCompressionSize": 5000,
    "disableExecuteApiEndpoint": false
}

03 Repeat steps no. 1 and 2 to enable payload compression for each Amazon API Gateway API available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Oct 24, 2018