Rule: API Gateway Stage Logging Should Be Enabled

This rule ensures that API Gateway stage logging is enabled for enhanced monitoring and security measures.

Rule	API Gateway stage logging should be enabled
Framework	CISA-cyber-essentials
Severity	✔ High

Rule Description: API Gateway stage logging should be enabled for CISA-cyber-essentials

Enabling API Gateway stage logging is important for tracking and monitoring the activities and requests made to an API. This is especially crucial for CISA-cyber-essentials compliance, as it ensures that logs are generated and retained to meet security and auditing requirements.

Troubleshooting Steps:

If API Gateway stage logging is not enabled for CISA-cyber-essentials, follow these troubleshooting steps:

1.
Check API Gateway Stage Settings: Verify if the stage logging option is enabled for the specific API Gateway stage associated with CISA-cyber-essentials.

2.
Verify IAM Permissions: Ensure that the IAM role associated with the API Gateway has sufficient permissions to enable stage logging. The necessary permissions include
```
logs:CreateLogGroup
```
,
```
logs:CreateLogStream
```
, and
```
logs:PutLogEvents
```
.

3.
CloudWatch Logs Configuration: Check if the API Gateway stage is configured to send logs to CloudWatch Logs. If not, configure the stage to enable this integration.

Necessary Code:

If stage logging is not already enabled for CISA-cyber-essentials, you can use the following AWS CLI command to update the stage settings:

aws apigateway update-stage --rest-api-id <rest_api_id> --stage-name <stage_name> --patch-operations op="replace",path="/logging/loglevel",value="INFO"

Replace

<rest_api_id>

with the ID of your API Gateway and

<stage_name>

with the name of the stage associated with CISA-cyber-essentials. This command sets the logging level to

INFO

, but you can adjust it as per your requirements.

Step-by-step Guide for Remediation:

To enable API Gateway stage logging for CISA-cyber-essentials, follow these steps:

1.
Open the AWS Management Console and navigate to the API Gateway service.

2.
Select the desired API from the list.

3.
In the left-hand menu, click on "Stages" to view the stages associated with the API.

4.
Locate the stage associated with CISA-cyber-essentials and click on its name.

5.
In the Stage Editor, click on the "Logs/Tracing" tab.

6.
Ensure that the "Enable CloudWatch Logs" option is enabled.

7.
If it's already enabled, proceed to the next step. Otherwise, click on the toggle switch to enable it.

8.
Verify the Log Level (optional): If you wish to adjust the log level, select the desired level from the dropdown menu. (e.g., INFO, ERROR, etc.).

9.
Click on the "Save Changes" button to apply the configuration.

10.
Verify that stage logging is enabled by checking the CloudWatch Logs service.

By following these steps, you will successfully enable API Gateway stage logging for CISA-cyber-essentials compliance. Make sure to retain the logs for the required duration as per your organization's policies and regulatory requirements.

Rule: API Gateway Stage Logging Should Be Enabled

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Code:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Troubleshooting Steps:

Necessary Code:

Step-by-step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities?
Find Out Now