Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: API Gateway Stage Logging Should Be Enabled

This rule checks if the API Gateway stage logging is enabled to ensure proper monitoring and security measures.

RuleAPI Gateway stage logging should be enabled
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description

The rule requires enabling API Gateway stage logging for compliance with NIST 800-171 Revision 2. Enabling stage logging allows capturing and monitoring crucial API Gateway events and requests, providing valuable insights into potential security issues and ensuring compliance with the required guidelines.

Troubleshooting Steps

If API Gateway stage logging is not enabled, you can follow the steps below to troubleshoot and resolve the issue:

  2. 1.

    Verify IAM Permissions: Ensure that you have the necessary permissions to enable stage logging in API Gateway. Check for IAM policies associated with your user or role and ensure they include the appropriate permissions.

  4. 2.

    Check API Gateway Configuration: Validate that the API Gateway is correctly configured and associated with the correct stage. Confirm that stage logging is not already enabled.

  6. 3.

    Review Log Group and Retention Settings: Verify that the corresponding CloudWatch Log Group exists and is properly configured. Ensure that the log retention period complies with the requirements of NIST 800-171 Revision 2.

  8. 4.

    Test and Validate: Verify if the stage logging is successfully enabled by executing test API requests and monitoring the associated log events in CloudWatch.

Code

If you are using AWS CLI or SDKs, you can use the following code snippet to enable stage logging for your API Gateway:

aws apigateway update-stage \
    --rest-api-id <your-rest-api-id> \
    --stage-name <your-stage-name> \
    --patch-operations '[{
        "op" : "add",
        "path" : "/accessLogSettings/destinationArn",
        "value" : "<your-cloudwatch-log-group-arn>"
    }]'

Note: Replace 

<your-rest-api-id>
, 
<your-stage-name>
, and 
<your-cloudwatch-log-group-arn>
with the appropriate values specific to your API Gateway configuration.

Remediation Steps

To enable API Gateway stage logging for NIST 800-171 Revision 2 compliance, follow the step-by-step guide below:

  2. 1.

    Open the AWS Management Console and navigate to the API Gateway service.

  4. 2.

    Select the desired API Gateway from the list.

  6. 3.

    In the left-hand menu, click on the "Stages" option under your API.

  8. 4.

    Choose the specific stage you want to enable logging for.

  10. 5.

    Under the "Settings" tab, locate the "Access logs" section.

  12. 6.

    Click on the "Edit" button next to "Enable CloudWatch Logs".

  14. 7.

    Select the appropriate CloudWatch Log Group from the dropdown menu or create a new one.

  16. 8.

    Click on the "Save changes" button to enable stage logging.

  18. 9.

    Verify if stage logging is enabled by executing API requests and monitoring the associated log events in CloudWatch.

By following these steps, you will have successfully enabled API Gateway stage logging, ensuring compliance with NIST 800-171 Revision 2.

Is your System Free of Underlying Vulnerabilities?
Find Out Now