This rule ensures that API Gateway stage logging is enabled to enhance security measures.
Rule | API Gateway stage logging should be enabled |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ High |
Rule Description:
The API Gateway stage logging should be enabled to comply with the NIST 800-171 Revision 2 security standards. Enabling stage logging helps in maintaining an audit trail of API Gateway stage-level activities and can assist in detecting and investigating any security incidents or policy violations.
Troubleshooting Steps:
Remediation:
To enable API Gateway stage logging for NIST 800-171 Revision 2, follow these steps:
Open the AWS Command Line Interface (CLI) or an SDK-supported tool.
Run the following AWS CLI command to enable stage logging:
aws apigateway update-stage --rest-api-id <api_id> --stage-name <stage_name> --patch-operations '[{"op":"replace","path":"/logging/loglevel","value":"INFO"}]'
Replace
<api_id>
with the actual ID of your API Gateway instance and <stage_name>
with the name of the target stage.aws apigateway get-stage --rest-api-id <api_id> --stage-name <stage_name>
Replace
<api_id>
and <stage_name>
with the appropriate values.After executing the above commands, check the response to ensure that the "logs/execution" field is present and indicates successful stage logging.
Repeat the above steps for each stage that needs to have logging enabled.
Additional Notes: