Ensure logging is enabled for API Gateway stages to enhance security and monitoring.
Rule | API Gateway stage logging should be enabled |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
API Gateway Stage Logging for NIST 800-53 Revision 5
Description
API Gateway stage logging should be enabled to comply with the security requirements outlined in NIST 800-53 Revision 5. This ensures that all relevant API events and logs are captured, allowing for effective security monitoring, incident response, and compliance auditing.
Troubleshooting Steps
If stage logging is not enabled or not functioning properly, you can follow these troubleshooting steps:
Necessary Codes
Here are some code snippets that may be relevant for enabling API Gateway stage logging:
AWS CLI Command to Enable Stage Logging
aws apigateway update-stage \ --rest-api-id <API_ID> \ --stage-name <STAGE_NAME> \ --patch-operations op=replace,path=/accessLogSettings/destinationArn,value=<DESTINATION_ARN>
Replace
<API_ID>
with the ID of your API and <STAGE_NAME>
with the name of the specific stage you want to enable logging for. Additionally, replace <DESTINATION_ARN>
with the ARN of the log destination (e.g., ARN of the CloudWatch Logs log group).AWS CLI Command to Grant Logging Permissions
aws iam attach-role-policy \ --role-name <ROLE_NAME> \ --policy-arn <POLICY_ARN>
Replace
<ROLE_NAME>
with the name of the IAM role associated with the API Gateway, and <POLICY_ARN>
with the ARN of the policy allowing log write permissions.Remediation Steps
Follow these steps to enable API Gateway stage logging:
Ensure that all necessary IAM permissions and policies are in place as mentioned in the troubleshooting steps. Validate the configuration by checking the log destination (e.g., CloudWatch Logs) for the presence of API Gateway stage logs.
By following these steps, you can successfully enable stage logging for API Gateway, ensuring compliance with NIST 800-53 Revision 5.