Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: API Gateway Stage Logging Should Be Enabled

This rule ensures that API Gateway stage logging is enabled to enhance security measures.

RuleAPI Gateway stage logging should be enabled
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description:

The API Gateway stage logging should be enabled to comply with the NIST 800-171 Revision 2 security standards. Enabling stage logging helps in maintaining an audit trail of API Gateway stage-level activities and can assist in detecting and investigating any security incidents or policy violations.

Troubleshooting Steps:

  1. 1.
    Check if stage logging is already enabled by navigating to the API Gateway console and selecting the specific API Gateway instance.
  2. 2.
    Find the target stage which needs to be verified for logging and click on the "Stages" link.
  3. 3.
    Select the desired stage to view its details.
  4. 4.
    On the "Stage Editor" page, check if the "CloudWatch Settings" section includes the log settings.
  5. 5.
    If logging is not enabled, follow the remediation steps below.

Remediation:

To enable API Gateway stage logging for NIST 800-171 Revision 2, follow these steps:

  1. 1.

    Open the AWS Command Line Interface (CLI) or an SDK-supported tool.

  2. 2.

    Run the following AWS CLI command to enable stage logging:

aws apigateway update-stage --rest-api-id <api_id> --stage-name <stage_name> --patch-operations '[{"op":"replace","path":"/logging/loglevel","value":"INFO"}]'

Replace

<api_id>
with the actual ID of your API Gateway instance and
<stage_name>
with the name of the target stage.

  1. 1.
    Run the following command to verify if the stage logging is successfully enabled:
aws apigateway get-stage --rest-api-id <api_id> --stage-name <stage_name>

Replace

<api_id>
and
<stage_name>
with the appropriate values.

  1. 1.

    After executing the above commands, check the response to ensure that the "logs/execution" field is present and indicates successful stage logging.

  2. 2.

    Repeat the above steps for each stage that needs to have logging enabled.

Additional Notes:

  • The AWS CLI commands mentioned above can also be achieved using AWS SDKs or other AWS management tools.
  • It is recommended to monitor and retain the generated logs for an appropriate period based on your organization's compliance and security requirements.
  • Regularly review the logs to identify any suspicious activity or security incidents.

Is your System Free of Underlying Vulnerabilities?
Find Out Now