Rule: API Gateway Stage Logging Should Be Enabled
This rule ensures that API Gateway stage logging is enabled for improved security measures.
| Rule | API Gateway stage logging should be enabled |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
Rule/Policy Description:
The rule/policy states that the logging should be enabled for the API Gateway stage specific to the Federal Financial Institutions Examination Council (FFIEC). Logging is crucial for tracking and auditing the API requests and responses, helping to ensure the security and compliance of the FFIEC's data and services.
Troubleshooting Steps:
If logging is not enabled for the API Gateway stage of FFIEC, follow these troubleshooting steps to rectify the issue:
- 1.
Verify Stage Configuration: Confirm that the FFIEC API Gateway stage is correctly configured and deployed. Check if the stage has been created and associated with the proper APIs.
- 2.
Check CloudWatch Logs: Navigate to the AWS CloudWatch service and verify if the logs are being generated for the API Gateway. Look specifically for the logs related to the FFIEC stage.
- 3.
Ensure Appropriate Permissions: Ensure that the execution role associated with the API Gateway has the necessary permissions to write logs to CloudWatch. Verify that the role has the
permission.logs:PutLogEvents - 4.
Inspect Logging Settings for APIs: Double-check the individual APIs associated with the FFIEC stage and make sure that logging is enabled at the API level. If logging is not enabled at the API level, enabling it will automatically create log streams in CloudWatch for the corresponding API.
- 5.
Review API Gateway Execution Logs: Analyze the API Gateway execution logs to identify any potential errors or warnings related to logging. These logs may provide additional insights into the issue.
- 6.
Consult AWS Support: If you are still unable to enable logging for the FFIEC API Gateway stage, consider reaching out to AWS support for further assistance. They can investigate the configuration and help achieve a resolution.
Necessary Code:
There are no specific code snippets required for enabling logging for the API Gateway stage in AWS. The process can be accomplished using the AWS Management Console or through the AWS Command Line Interface (CLI).
Step-by-Step Guide for Remediation:
Follow these steps to enable logging for the API Gateway stage related to the FFIEC using the AWS Management Console:
- 1.
Sign in to the AWS Management Console: Access the AWS Management Console using your account credentials.
- 2.
Open Amazon API Gateway: Navigate to the API Gateway service within the AWS Management Console.
- 3.
Select the API: Choose the API associated with the FFIEC stage that you want to enable logging for.
- 4.
Navigate to Stages: From the left-hand navigation pane, under the selected API, click on "Stages".
- 5.
Select the FFIEC Stage: Locate and select the specific stage related to the FFIEC from the list of available stages.
- 6.
Open Stage Settings: In the stage details, click on the "Stage Settings" tab.
- 7.
Enable Logging: Under the "Logs/Tracing" section, toggle the "Enable CloudWatch Logs" option to enable logging for the stage.
- 8.
Configure Log Levels (Optional): If required, adjust the log levels for detailed logging by choosing appropriate values for "Log level".
- 9.
Save Changes: Click on "Save Changes" to apply the logging configuration for the FFIEC stage.
Conclusion:
Enabling logging for the API Gateway stage specific to the Federal Financial Institutions Examination Council (FFIEC) is important to ensure proper tracking, auditing, and compliance of the API requests and responses. By following the step-by-step guide provided, you can easily enable logging for the FFIEC stage using the AWS Management Console.