Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Enable API Gateway Stage Logging Rule

This rule ensures that API Gateway stage logging is enabled to maintain compliance and security.

RuleAPI Gateway stage logging should be enabled
FrameworkNIST 800-53 Revision 5
Severity
High

API Gateway Stage Logging for NIST 800-53 Revision 5

Description:

Enabling logging for API Gateway stages is a crucial security measure that helps meet the requirements of the NIST 800-53 Revision 5. API Gateway allows you to monitor and record log data for each stage, providing valuable insights into the traffic and activity of your APIs. By enabling stage logging, you ensure that all API events are logged, including requests, responses, and potential security threats.

Troubleshooting Steps:

  1. 1.
    Verify IAM Permissions: Ensure that the user or role configuring API Gateway has the necessary permissions to enable logging in the desired stage.
  2. 2.
    Check CloudWatch Logs Setup: Confirm that you have properly configured CloudWatch Logs for capturing the API Gateway logs. Make sure the log group and stream are correctly created and configured.
  3. 3.
    Review API Gateway Execution Role: Ensure that the execution role associated with API Gateway has the appropriate permissions to write logs to CloudWatch Logs.
  4. 4.
    Validate Resource Policy: Check the resource policy or access control policy of the log group in CloudWatch Logs to ensure that API Gateway is allowed to send logs to the specified log group.
  5. 5.
    Review Traffic: If the logs aren't appearing as expected, investigate if there is any traffic reaching the designated stage of the API Gateway. Lack of traffic might result in an absence of logs in CloudWatch.

Necessary Codes:

In order to enable API Gateway stage logging, you need to adjust the settings of the respective stage by using an AWS CLI command or through the API Gateway console. Here is an example of the AWS CLI command:

aws apigateway update-stage --rest-api-id <REST-API-ID> --stage-name <STAGE-NAME> --patch-operations op='replace',path='/logging/loglevel',value='<LOGGING-LEVEL>'

Replace the following placeholders in the command:

  • <REST-API-ID>
    : The ID of your API Gateway REST API.
  • <STAGE-NAME>
    : The name of the stage for which you want to enable logging.
  • <LOGGING-LEVEL>
    : The desired logging level (e.g., INFO, ERROR, OFF).

Step-by-Step Guide for Remediation:

  1. 1.

    Open the API Gateway Management Console.

  2. 2.

    Select the desired API from the list.

  3. 3.

    In the navigation pane, click on "Stages".

  4. 4.

    Locate and select the stage for which you want to enable logging.

  5. 5.

    In the stage details section, click on the "Logs/Tracing" tab.

  6. 6.

    Under the "CloudWatch Settings" section, click on the "Edit" button.

  7. 7.

    Enable the "Enable CloudWatch Logs" option.

  8. 8.

    Specify the desired logging level in the "Log Level" field.

  9. 9.

    Click "Save changes" to apply the logging configuration.

  10. 10.

    Optionally, you can configure advanced settings such as log groups, data retention, and data sampling if desired.

Conclusion:

Enabling API Gateway stage logging for NIST 800-53 Revision 5 ensures that your API traffic is adequately monitored and logged for security and compliance purposes. By following the troubleshooting steps and using the provided CLI command and remediation guide, you can promptly enable stage logging and meet the specified requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now