Monitoring API Gateway API configuration with AWS Config - Amazon API Gateway
Supported resource typesSetting up AWS ConfigConfiguring AWS Config to record API Gateway resourcesViewing API Gateway configuration details in the AWS Config consoleEvaluating API Gateway resources using AWS Config rules

Monitoring API Gateway API configuration with AWS Config

You can use AWS Config to record configuration changes made to your API Gateway API resources and send notifications based on resource changes. Maintaining a configuration change history for API Gateway resources is useful for operational troubleshooting, audit, and compliance use cases.

AWS Config can track changes to:

  • API stage configuration, such as:

    • cache cluster settings

    • throttle settings

    • access log settings

    • the active deployment set on the stage

  • API configuration, such as:

    • endpoint configuration

    • version

    • protocol

    • tags

In addition, the AWS Config Rules feature enables you to define configuration rules and automatically detect, track, and alert violations to these rules. By tracking changes to these resource configuration properties, you can also author change-triggered AWS Config rules for your API Gateway resources, and test your resource configurations against best practices.

You can enable AWS Config in your account by using the AWS Config console or the AWS CLI. Select the resource types for which you want to track changes. If you previously configured AWS Config to record all resource types, then these API Gateway resources will be automatically recorded in your account. Support for Amazon API Gateway in AWS Config is available in all AWS public regions and AWS GovCloud (US). For the full list of supported Regions, see Amazon API Gateway Endpoints and Quotas in the AWS General Reference.

Supported resource types

The following API Gateway resource types are integrated with AWS Config and are documented in AWS Config Supported AWS Resource Types and Resource Relationships:

  • AWS::ApiGatewayV2::Api (WebSocket and HTTP API)

  • AWS::ApiGateway::RestApi (REST API)

  • AWS::ApiGatewayV2::Stage (WebSocket and HTTP API stage)

  • AWS::ApiGateway::Stage (REST API stage)

For more information about AWS Config, see the AWS Config Developer Guide. For pricing information, see the AWS Config pricing information page.

Important

If you change any of the following API properties after the API is deployed, you must redeploy the API to propagate the changes. Otherwise, you'll see the attribute changes in the AWS Config console, but the previous property settings will still be in effect; the API's runtime behavior will be unchanged.

  • AWS::ApiGateway::RestApibinaryMediaTypes, minimumCompressionSize, apiKeySource

  • AWS::ApiGatewayV2::ApiapiKeySelectionExpression

Setting up AWS Config

To initially set up AWS Config, see the following topics in the AWS Config Developer Guide.

Configuring AWS Config to record API Gateway resources

By default, AWS Config records configuration changes for all supported types of regional resources that it discovers in the region in which your environment is running. You can customize AWS Config to record changes only for specific resource types, or changes to global resources.

To learn about regional vs. global resources and learn how to customize your AWS Config configuration, see Selecting which Resources AWS Config Records.

Viewing API Gateway configuration details in the AWS Config console

You can use the AWS Config console to look for API Gateway resources and get current and historical details about their configurations. The following procedure shows how to find information about an API Gateway API.

To find an API Gateway resource in the AWS config console

  1. Open the AWS Config console.

  2. Choose Resources.

  3. On the Resource inventory page, choose Resources.

  4. Open the Resource type menu, scroll to APIGateway or APIGatewayV2, and then choose one or more of the API Gateway resource types.

  5. Choose Look up.

  6. Choose a resource ID in the list of resources that AWS Config displays. AWS Config displays configuration details and other information about the resource you selected.

  7. To see the full details of the recorded configuration, choose View Details.

To learn more ways to find a resource and view information on this page, see Viewing AWS Resource Configurations and History in the AWS Config Developer Guide.

Evaluating API Gateway resources using AWS Config rules

You can create AWS Config rules, which represent the ideal configuration settings for your API Gateway resources. You can use predefined AWS Config Managed Rules, or define custom rules. AWS Config continuously tracks changes to the configuration of your resources to determine whether those changes violate any of the conditions in your rules. The AWS Config console shows the compliance status of your rules and resources.

If a resource violates a rule and is flagged as noncompliant, AWS Config can alert you using an Amazon Simple Notification Service Developer Guide (Amazon SNS) topic. To programmatically consume the data in these AWS Config alerts, use an Amazon Simple Queue Service (Amazon SQS) queue as the notification endpoint for the Amazon SNS topic.

To learn more about setting up and using rules, see Evaluating Resources with Rules in the AWS Config Developer Guide.