Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Enable API Gateway Stage Logging Rule

This rule requires enabling logging for API Gateway stages to ensure proper monitoring.

RuleAPI Gateway stage logging should be enabled
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description:

The rule requires that logging is enabled for the API Gateway stage in compliance with NIST 800-53 Revision 5 security controls. Enabling stage logging helps in monitoring and auditing the activities within the stage, which ensures better security and compliance with NIST guidelines.

Troubleshooting Steps:

If stage logging is not enabled for API Gateway as per the NIST 800-53 Revision 5 requirements, you can follow these steps to troubleshoot the issue:

  2. 1.
    Check the current logging configuration for the API Gateway stage.
  4. 2.
    Verify if the required logging options are missing or misconfigured.
  6. 3.
    Ensure that the appropriate permissions are set to access and modify the logging configuration.
  8. 4.
    Confirm if any customizations or resource limitations are hampering the stage logging.
  10. 5.
    Review the system logs and error messages for any related issues.
  12. 6.
    Check if there are any conflicting settings or policies that may prevent stage logging.

Necessary Codes:

There are no specific codes provided for this rule, as enabling logging for the API Gateway stage is a configuration-based action. However, in case you need to modify the logging configuration through API Gateway CLI commands, the AWS CLI commands mentioned below can be used:

  2. 1.
    To enable logging for a specific API Gateway stage, use the 
    update-stage
    command with the corresponding parameters:
aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations op='replace',path='/logging/loglevel',value='INFO' op='replace',path='/logging/dataTrace',value='true'

Replace 

<rest-api-id>
with the ID of the API Gateway and 
<stage-name>
with the name of the desired stage for which logging needs to be enabled.

  2. 1.
    To disable logging for a specific stage, use the 
    update-stage
    command to set the desired parameters:
aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations op='replace',path='/logging/loglevel',value='OFF' op='replace',path='/logging/dataTrace',value='false'

Remediation Steps:

Follow these steps to enable logging for the API Gateway stage in compliance with NIST 800-53 Revision 5:

  2. 1.
    Open the API Gateway Management Console.
  4. 2.
    Navigate to the desired API Gateway.
  6. 3.
    Select the appropriate stage for which you want to enable logging.
  8. 4.
    Click on the "Logs/Tracing" tab.
  10. 5.
    Under the "Access logs" section, select the checkbox for "Enable CloudWatch Logs" to enable logging.
  12. 6.
    Set the desired log level. It is recommended to set it to "INFO" for performance reasons.
  14. 7.
    Enable "Log full requests/responses data" by selecting the checkbox for "Log full requests/responses data".
  16. 8.
    Click on the "Save Changes" button to save the logging configuration for the stage.
  18. 9.
    Ensure that the necessary permissions are in place to enable and access the CloudWatch Logs for the API Gateway stage.

By following these steps, you will successfully enable the logging for the API Gateway stage in compliance with NIST 800-53 Revision 5. This will help in monitoring and auditing the activities within the stage, ensuring better security and compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now