Rule: API Gateway Stage Logging Should Be Enabled
A rule stating that API Gateway stage logging must be enabled for compliance
| Rule | API Gateway stage logging should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Description
The rule mandates enabling logging for API Gateway stages to comply with the NIST 800-53 Revision 5 security standard. This rule ensures that all activities and requests made to the API Gateway stages are recorded and can be monitored for security and auditing purposes.
Enabling logging provides a valuable mechanism for troubleshooting, monitoring, and investigating potential security incidents or unauthorized access attempts within the API Gateway.
Troubleshooting Steps
If the API Gateway stage logging is not enabled, follow these steps to enable it:
- 1.Login to the AWS Management Console.
- 2.Go to the API Gateway service.
- 3.Choose the API containing the desired stage for which you want to enable logging.
- 4.Select the "Stages" option from the left-hand menu.
- 5.Next to the desired stage, click on the "Logs/Tracing" tab.
- 6.Under "Access logs", click on the "Edit" button.
- 7.Select "Enable CloudWatch Logs" for capturing access logs.
- 8.Choose an existing CloudWatch log group or create a new one.
- 9.Set the log format to the desired format (e.g., JSON, CSV, etc.).
- 10.Click on the "Save Changes" button to enable logging for the selected stage.
Code Example
If you prefer using the AWS Command Line Interface (CLI) for enabling API Gateway stage logging, you can use the following command:
aws apigateway update-stage \ --rest-api-id <API_ID> \ --stage-name <STAGE_NAME> \ --patch-operations op=replace,path=/accessLogSettings/destinationArn,value=<LOG_GROUP_ARN> \ --patch-operations op=replace,path=/accessLogSettings/format,value=<LOG_FORMAT>
Replace the following placeholders:
: The ID of the API containing the desired stage.<API_ID>
: The name of the stage for which you want to enable logging.<STAGE_NAME>
: The Amazon Resource Name (ARN) of the CloudWatch log group.<LOG_GROUP_ARN>
: The desired format for the access logs (e.g., 'json', 'csv', etc.).<LOG_FORMAT>
Once executed, the command will enable logging for the specified API Gateway stage.
Remediation Steps
To remediate the non-compliance issue of disabled API Gateway stage logging, follow the below steps:
- 1.Login to the AWS Management Console.
- 2.Go to the API Gateway service.
- 3.Choose the API containing the desired stage for which you want to enable logging.
- 4.Select the "Stages" option from the left-hand menu.
- 5.Next to the desired stage, click on the "Logs/Tracing" tab.
- 6.Under "Access logs", click the "Edit" button.
- 7.Select "Enable CloudWatch Logs" for capturing access logs.
- 8.Choose an existing CloudWatch log group or create a new one.
- 9.Set the log format to the desired format (e.g., JSON, CSV, etc.).
- 10.Click on the "Save Changes" button to enable logging for the selected stage.
Alternatively, you can use the AWS Command Line Interface (CLI) to enable API Gateway stage logging. Execute the following command:
aws apigateway update-stage \ --rest-api-id <API_ID> \ --stage-name <STAGE_NAME> \ --patch-operations op=replace,path=/accessLogSettings/destinationArn,value=<LOG_GROUP_ARN> \ --patch-operations op=replace,path=/accessLogSettings/format,value=<LOG_FORMAT>
Ensure you replace the placeholders mentioned earlier with the appropriate values specific to your API Gateway and logging configuration.
By following these steps, you will successfully enable logging for the API Gateway stages, ensuring compliance with the NIST 800-53 Revision 5 security standard.