Enable API Gateway Stage Logging Rule
This rule requires enabling logging for API Gateway stages.
| Rule | API Gateway stage logging should be enabled |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
The rule requires enabling logging for the API Gateway stage for compliance with FedRAMP Low Revision 4. Enabling logging helps in maintaining a secure and auditable environment and ensures compliance with regulatory requirements.
Troubleshooting Steps:
If you encounter any issues while enabling logging for the API Gateway stage, follow these troubleshooting steps:
- 1.
Check IAM Permissions: Ensure that you have the necessary IAM permissions to enable logging for the API Gateway stage. Check if you have the required access to the AWS Management Console or necessary permissions via AWS CLI.
- 2.
Verify API Gateway Configuration: Ensure that your API Gateway is properly configured and deployed. Check if the stage configuration is accurate and if the API is functioning as expected.
- 3.
Review CloudWatch Logs: If you have enabled logging but are not seeing the desired logs, verify the CloudWatch Logs configuration. Ensure that the correct log group is specified and that the log group is associated with the API Gateway stage.
- 4.
Check IAM Roles and Policies: Review the IAM roles and policies associated with your API Gateway stage. Ensure that the roles have the necessary permissions to write logs to CloudWatch Logs.
- 5.
Examine Execution Role: If you are using AWS Lambda functions in your API Gateway, check the execution role associated with the Lambda function. Ensure that it has IAM permissions to write logs to CloudWatch Logs.
Necessary Codes:
There are no specific codes required for enabling API Gateway stage logging. However, you may need to configure the following settings:
- 1.Enable CloudWatch Logs: If not already enabled, you need to enable CloudWatch Logs for your AWS account. This can be done via the AWS Management Console or by using the AWS CLI with the following command:
aws logs create-log-group --log-group-name <log-group-name>
Replace
<log-group-name>- 1.Enable Stage Logging: To enable logging for the API Gateway stage, you can use the AWS CLI with the following command:
aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations op=add,path=/logging/dataTrace,value=true
Replace
<rest-api-id><stage-name>Step-by-Step Guide for Remediation:
Follow these steps to enable logging for the API Gateway stage:
- 1.
Open the AWS Management Console and navigate to the API Gateway service.
- 2.
Select the API Gateway that needs logging enabled.
- 3.
Click on the desired stage for which you want to enable logging.
- 4.
In the "Stage Editor" section, click on the "Logs/Tracing" tab.
- 5.
Scroll down to the "Access Logging" section and click on the "Edit" button.
- 6.
Enable the "Enable CloudWatch Logs" option.
- 7.
Specify the log format and log level according to your requirements.
- 8.
Click on the "Save changes" button to save the configuration.
- 9.
If you haven't already enabled CloudWatch Logs, you can enable it by following the necessary steps mentioned earlier.
By following these steps, you will successfully enable logging for the API Gateway stage, ensuring compliance with FedRAMP Low Revision 4.