API Gateway Stage Logging Enabled Rule
This rule ensures API Gateway stage logging is enabled to maintain high security standards.
| Rule | API Gateway stage logging should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule Description: API Gateway stage logging should be enabled for FedRAMP Moderate Revision 4
Rule Summary:
Enabling stage logging in the API Gateway is a requirement for compliance with the FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 security standards. It ensures that the necessary logs are generated and retained for auditing and monitoring purposes.
Troubleshooting Steps:
If stage logging is not enabled or not functioning properly, the following troubleshooting steps can be taken:
- 1.
Verify Logging Settings: Check the API Gateway configuration for stage logging settings. Ensure that it is enabled and configured to capture the necessary log data.
- 2.
Check IAM Permissions: Make sure that the IAM (Identity and Access Management) roles associated with the API Gateway have the necessary permissions to write logs to the desired target.
- 3.
Review CloudWatch Log Groups: Check the CloudWatch Log Groups associated with the API Gateway stage logging. Ensure that the log groups exist and are properly configured.
- 4.
Test Logging Configuration: Create a test API request and verify if the logs are being generated and available in the designated CloudWatch Log Group.
- 5.
Review Log Retention Settings: Ensure that the log retention period is set appropriately for compliance requirements.
Necessary Codes:
There are no specific codes required for enabling stage logging in the API Gateway. The configuration can be done through the AWS Management Console or through the AWS Command Line Interface (CLI).
Step-by-Step Guide for Remediation:
Option 1: Using the AWS Management Console
- 1.Log in to the AWS Management Console.
- 2.Navigate to the API Gateway service.
- 3.Select the desired API Gateway instance.
- 4.Click on the "Stages" in the left navigation pane.
- 5.Select the stage for which you want to enable logging.
- 6.Click on the "Logs/Tracing" tab in the stage configuration.
- 7.Enable the "Enable CloudWatch Logs" option.
- 8.Specify the desired CloudWatch Log Group name or create a new one.
- 9.Configure other log settings as required.
- 10.Save the changes.
Option 2: Using the AWS CLI
- 1.Install and configure the AWS CLI if you haven't done so already.
- 2.Open a command prompt or terminal.
- 3.Run the following command to enable stage logging in the API Gateway:
aws apigateway create-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations '[{"op":"replace", "path":"/accessLogSettings/format", "value": "JSON"}, {"op":"replace", "path":"/accessLogSettings/destinationArn", "value": "arn:aws:logs:<region>:<account-id>:log-group:<log-group-name>"},{"op":"replace", "path":"/accessLogSettings/roleArn", "value": "arn:aws:iam::<account-id>:role/<role-name>"}]'
Note: Replace <rest-api-id>, <stage-name>, <region>, <account-id>, <log-group-name>, and <role-name> with the actual values for your API Gateway configuration.
- 1.Verify if the stage logging is enabled by checking the API Gateway configuration.
Conclusion:
Enabling stage logging in the API Gateway is essential to comply with the FedRAMP Moderate Revision 4 security standards. By following the provided troubleshooting steps and using either the AWS Management Console or the AWS CLI, you can ensure that stage logging is properly enabled for your API Gateway instance.