This rule ensures that API Gateway stage logging is enabled to maintain compliance and security.
Rule | API Gateway stage logging should be enabled |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
API Gateway Stage Logging for NIST 800-53 Revision 5
Description:
Enabling logging for API Gateway stages is a crucial security measure that helps meet the requirements of the NIST 800-53 Revision 5. API Gateway allows you to monitor and record log data for each stage, providing valuable insights into the traffic and activity of your APIs. By enabling stage logging, you ensure that all API events are logged, including requests, responses, and potential security threats.
Troubleshooting Steps:
Necessary Codes:
In order to enable API Gateway stage logging, you need to adjust the settings of the respective stage by using an AWS CLI command or through the API Gateway console. Here is an example of the AWS CLI command:
aws apigateway update-stage --rest-api-id <REST-API-ID> --stage-name <STAGE-NAME> --patch-operations op='replace',path='/logging/loglevel',value='<LOGGING-LEVEL>'
Replace the following placeholders in the command:
<REST-API-ID>
: The ID of your API Gateway REST API.<STAGE-NAME>
: The name of the stage for which you want to enable logging.<LOGGING-LEVEL>
: The desired logging level (e.g., INFO, ERROR, OFF).Step-by-Step Guide for Remediation:
Open the API Gateway Management Console.
Select the desired API from the list.
In the navigation pane, click on "Stages".
Locate and select the stage for which you want to enable logging.
In the stage details section, click on the "Logs/Tracing" tab.
Under the "CloudWatch Settings" section, click on the "Edit" button.
Enable the "Enable CloudWatch Logs" option.
Specify the desired logging level in the "Log Level" field.
Click "Save changes" to apply the logging configuration.
Optionally, you can configure advanced settings such as log groups, data retention, and data sampling if desired.
Conclusion:
Enabling API Gateway stage logging for NIST 800-53 Revision 5 ensures that your API traffic is adequately monitored and logged for security and compliance purposes. By following the troubleshooting steps and using the provided CLI command and remediation guide, you can promptly enable stage logging and meet the specified requirements.