Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: API Gateway Stage Logging Should Be Enabled

Ensure logging is enabled for API Gateway stages to enhance security and monitoring.

RuleAPI Gateway stage logging should be enabled
FrameworkNIST 800-53 Revision 5
Severity
High

API Gateway Stage Logging for NIST 800-53 Revision 5

Description

API Gateway stage logging should be enabled to comply with the security requirements outlined in NIST 800-53 Revision 5. This ensures that all relevant API events and logs are captured, allowing for effective security monitoring, incident response, and compliance auditing.

Troubleshooting Steps

If stage logging is not enabled or not functioning properly, you can follow these troubleshooting steps:

  1. 1.
    Check Logging Configuration: Verify that the API Gateway stage logging is enabled in the AWS Management Console or using the AWS CLI. Ensure that the appropriate log destination, such as Amazon CloudWatch Logs, has been configured.
  2. 2.
    Check IAM Permissions: Ensure that the IAM roles or users associated with the API Gateway have the necessary permissions to write logs to the configured log destination. You can review and modify IAM policies to grant the required permissions.
  3. 3.
    Check API Gateway Stage Settings: Validate that the API Gateway stage is correctly configured to send logs to the desired log destination. Double-check the settings related to logging options and verify that they match your intended configuration.
  4. 4.
    Check CloudWatch Logs: If you are using CloudWatch Logs as the log destination, ensure that the log group and log stream are correctly set up. Check if the log group and stream have any issues or if they are reaching their storage limits.
  5. 5.
    Review CloudTrail: If you utilize AWS CloudTrail to monitor API Gateway events, review the CloudTrail logs to identify any potential errors or issues related to stage logging.

Necessary Codes

Here are some code snippets that may be relevant for enabling API Gateway stage logging:

AWS CLI Command to Enable Stage Logging

aws apigateway update-stage \
    --rest-api-id <API_ID> \
    --stage-name <STAGE_NAME> \
    --patch-operations op=replace,path=/accessLogSettings/destinationArn,value=<DESTINATION_ARN>

Replace

<API_ID>
with the ID of your API and
<STAGE_NAME>
with the name of the specific stage you want to enable logging for. Additionally, replace
<DESTINATION_ARN>
with the ARN of the log destination (e.g., ARN of the CloudWatch Logs log group).

AWS CLI Command to Grant Logging Permissions

aws iam attach-role-policy \
    --role-name <ROLE_NAME> \
    --policy-arn <POLICY_ARN>

Replace

<ROLE_NAME>
with the name of the IAM role associated with the API Gateway, and
<POLICY_ARN>
with the ARN of the policy allowing log write permissions.

Remediation Steps

Follow these steps to enable API Gateway stage logging:

  1. 1.
    Open the AWS Management Console and navigate to the Amazon API Gateway service.
  2. 2.
    Select the desired API from the API list.
  3. 3.
    In the left-hand sidebar, click on the "Stages" option.
  4. 4.
    Locate and select the specific stage for which you want to enable logging.
  5. 5.
    Click on the "Logs/Tracing" tab at the top of the stage configuration page.
  6. 6.
    Under the "Access Logs" section, click the "Edit" button.
  7. 7.
    Enable the toggle switch to turn on logging for the stage.
  8. 8.
    Choose the desired log destination, such as CloudWatch Logs, from the "CloudWatch Logs" dropdown menu.
  9. 9.
    Enter the ARN of the log destination in the provided field (e.g., ARN of the CloudWatch Logs log group).
  10. 10.
    Click "Save" to save the changes and enable stage logging.

Ensure that all necessary IAM permissions and policies are in place as mentioned in the troubleshooting steps. Validate the configuration by checking the log destination (e.g., CloudWatch Logs) for the presence of API Gateway stage logs.

By following these steps, you can successfully enable stage logging for API Gateway, ensuring compliance with NIST 800-53 Revision 5.

Is your System Free of Underlying Vulnerabilities?
Find Out Now