Monitoring API Gateway API configuration with Amazon Config - Amazon API Gateway
Supported resource typesSetting up Amazon ConfigConfiguring Amazon Config to record API Gateway resourcesViewing API Gateway configuration details in the Amazon Config consoleEvaluating API Gateway resources using Amazon Config rules
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring API Gateway API configuration with Amazon Config

You can use Amazon Config to record configuration changes made to your API Gateway API resources and send notifications based on resource changes. Maintaining a configuration change history for API Gateway resources is useful for operational troubleshooting, audit, and compliance use cases.

Amazon Config can track changes to:

  • API stage configuration, such as:

    • cache cluster settings

    • throttle settings

    • access log settings

    • the active deployment set on the stage

  • API configuration, such as:

    • endpoint configuration

    • version

    • protocol

    • tags

In addition, the Amazon Config Rules feature enables you to define configuration rules and automatically detect, track, and alert violations to these rules. By tracking changes to these resource configuration properties, you can also author change-triggered Amazon Config rules for your API Gateway resources, and test your resource configurations against best practices.

You can enable Amazon Config in your account by using the Amazon Config console or the Amazon CLI. Select the resource types for which you want to track changes. If you previously configured Amazon Config to record all resource types, then these API Gateway resources will be automatically recorded in your account. Support for Amazon API Gateway in Amazon Config is available in all Amazon public regions and Amazon GovCloud (US). For the full list of supported Regions, see Amazon API Gateway Endpoints and Quotas in the Amazon Web Services General Reference.

Supported resource types

The following API Gateway resource types are integrated with Amazon Config and are documented in Amazon Config Supported Amazon Resource Types and Resource Relationships:

  • AWS::ApiGatewayV2::Api (WebSocket and HTTP API)

  • AWS::ApiGateway::RestApi (REST API)

  • AWS::ApiGatewayV2::Stage (WebSocket and HTTP API stage)

  • AWS::ApiGateway::Stage (REST API stage)

For more information about Amazon Config, see the Amazon Config Developer Guide. For pricing information, see the Amazon Config pricing information page.

Important

If you change any of the following API properties after the API is deployed, you must redeploy the API to propagate the changes. Otherwise, you'll see the attribute changes in the Amazon Config console, but the previous property settings will still be in effect; the API's runtime behavior will be unchanged.

  • AWS::ApiGateway::RestApibinaryMediaTypes, minimumCompressionSize, apiKeySource

  • AWS::ApiGatewayV2::ApiapiKeySelectionExpression

Setting up Amazon Config

To initially set up Amazon Config, see the following topics in the Amazon Config Developer Guide.

Configuring Amazon Config to record API Gateway resources

By default, Amazon Config records configuration changes for all supported types of regional resources that it discovers in the region in which your environment is running. You can customize Amazon Config to record changes only for specific resource types, or changes to global resources.

To learn about regional vs. global resources and learn how to customize your Amazon Config configuration, see Selecting which Resources Amazon Config Records.

Viewing API Gateway configuration details in the Amazon Config console

You can use the Amazon Config console to look for API Gateway resources and get current and historical details about their configurations. The following procedure shows how to find information about an API Gateway API.

To find an API Gateway resource in the Amazon config console

  1. Open the Amazon Config console.

  2. Choose Resources.

  3. On the Resource inventory page, choose Resources.

  4. Open the Resource type menu, scroll to APIGateway or APIGatewayV2, and then choose one or more of the API Gateway resource types.

  5. Choose Look up.

  6. Choose a resource ID in the list of resources that Amazon Config displays. Amazon Config displays configuration details and other information about the resource you selected.

  7. To see the full details of the recorded configuration, choose View Details.

To learn more ways to find a resource and view information on this page, see Viewing Amazon Resource Configurations and History in the Amazon Config Developer Guide.

Evaluating API Gateway resources using Amazon Config rules

You can create Amazon Config rules, which represent the ideal configuration settings for your API Gateway resources. You can use predefined Amazon Config Managed Rules, or define custom rules. Amazon Config continuously tracks changes to the configuration of your resources to determine whether those changes violate any of the conditions in your rules. The Amazon Config console shows the compliance status of your rules and resources.

If a resource violates a rule and is flagged as noncompliant, Amazon Config can alert you using an Amazon Simple Notification Service Developer Guide (Amazon SNS) topic. To programmatically consume the data in these Amazon Config alerts, use an Amazon Simple Queue Service (Amazon SQS) queue as the notification endpoint for the Amazon SNS topic.

To learn more about setting up and using rules, see Evaluating Resources with Rules in the Amazon Config Developer Guide.