Rule: API Gateway Stage Logging Should Be Enabled
This rule ensures that API Gateway stage logging is enabled, with a high severity level for Access Control (AC) benchmark.
| Rule | API Gateway stage logging should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description
The API Gateway stage logging should be enabled to comply with the NIST 800-53 Revision 5 security standard. This rule ensures that all relevant API activities and requests are logged for auditing, monitoring, and troubleshooting purposes.
Troubleshooting Steps
In case API Gateway stage logging is not enabled, follow these troubleshooting steps:
- 1.
Validate API Gateway Settings: Ensure that the API Gateway is properly configured and deployed.
- 2.
Verify Stage Configuration: Check that the desired API stage has been configured correctly, including the integration settings, deployment settings, and resource mappings.
- 3.
Check Logging Settings: Verify that the logging settings for the API stage are correctly configured and enabled.
- 4.
Review CloudWatch Logs: If the logging is enabled but not functioning as expected, review the corresponding CloudWatch Logs to identify any errors, configuration issues, or permission problems.
Necessary Codes
Depending on the specific requirements and environment, the necessary codes might vary. However, here is an example of how to enable stage logging for the API Gateway using AWS CloudFormation:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyApiGateway:
Type: "AWS::ApiGateway::Stage"
Properties:
...
AccessLogSetting:
DestinationArn: "arn:aws:logs:us-east-1:123456789012:log-group:/api-gateway-logs/*"
Format: "$context.requestId $context.identity.sourceIp $context.identity.caller $context.identity.user $context.requestTime $context.responseLength $context.requestTime $context.httpMethod $context.resourcePath $context.endpoint"
RoleArn: "arn:aws:iam::123456789012:role/MyApiGatewayLogsRole"
...
This CloudFormation template snippet demonstrates the configuration of stage logging. Ensure that the
DestinationArnRoleArnRemediation Steps
To remediate the API Gateway stage logging issue, follow these steps:
- 1.
Access AWS Management Console: Log in to the AWS Management Console with appropriate credentials.
- 2.
Navigate to API Gateway Service: Locate the API Gateway service within the AWS Management Console.
- 3.
Choose the Desired API: Select the relevant API from the list of available APIs.
- 4.
Configure Stage Logging: Click on the "Stages" section and locate the desired stage for which you want to enable logging.
- 5.
Enable Logging: Under the stage settings, locate the "Logs/Tracing" tab or section and enable logging if it is not already enabled.
- 6.
Configure Logging Settings: Provide the necessary details such as the AWS CloudWatch Logs log group ARN and the IAM role ARN for logging.
- 7.
Save Configuration: Save the changes to apply the logging configuration to the API stage.
- 8.
Test Logging: Test the logging functionality by accessing the API and verifying that the logs are properly generated and sent to the specified AWS CloudWatch Logs log group.
By following these steps, you will successfully enable logging for the API Gateway stage, ensuring compliance with the NIST 800-53 Revision 5 security standard.