Api Gateway Stage Logging Enabled Rule
This rule ensures that API Gateway stage logging is enabled to maintain high security standards.
| Rule | API Gateway stage logging should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
This rule requires enabling logging for the API Gateway stage in order to comply with the NIST 800-53 Revision 5 security framework. Logging can help in monitoring and identifying any unauthorized access attempts or potential security breaches.
Troubleshooting Steps:
- 1.Validate IAM permissions: Ensure that the user or role associated with the API Gateway has the required IAM permissions to enable logging for the stage.
- 2.Confirm API Gateway configuration: Double-check that the API Gateway resource is correctly configured, and the associated stage is properly set up.
- 3.Verify CloudWatch Logs integration: Ensure that the API Gateway is integrated with CloudWatch Logs for storing the logs.
Necessary Codes:
This rule does not have direct code implementations. However, the following AWS CLI commands can be used to enable logging for the API Gateway stage:
- 1.Enable detailed CloudWatch logging for the stage:
aws apigateway update-stage \ --rest-api-id <API-ID> \ --stage-name <STAGE-NAME> \ --patch-operations '[{"op":"replace","path":"/accessLogSettings/destinationArn","value":"arn:aws:logs:<REGION>:<ACCOUNT-ID>:log-group:<LOG-GROUP-NAME>"}]'
Replace
<API-ID><STAGE-NAME><REGION><ACCOUNT-ID><LOG-GROUP-NAME>- 1.Enable logging for each method:
aws apigateway update-stage \ --rest-api-id <API-ID> \ --stage-name <STAGE-NAME> \ --patch-operations '[{"op":"replace","path":"/accessLogSettings/format","value":"json"},{"op":"add","path":"/accessLogSettings/roleArn","value":"arn:aws:iam::<ACCOUNT-ID>:role/<ROLE-NAME>"}]'
Replace
<API-ID><STAGE-NAME><ACCOUNT-ID><ROLE-NAME>Step-by-Step Guide for Remediation:
- 1.Authenticate to the AWS Management Console.
- 2.Go to the API Gateway service page.
- 3.Select the desired API from the list.
- 4.Choose the correct Stage from the left-hand menu.
- 5.Click on the Logs/Tracing tab.
- 6.In the Access Logging section, click on Edit.
- 7.Enable the switch next to Enable Access Logging.
- 8.Enter the ARN of the desired CloudWatch Logs group in the CloudWatch Logs group ARN field.
- 9.Save the changes.
- 10.Repeat steps 6-9 for each method within the stage, if necessary.
- 11.Verify that the logging is functioning correctly by accessing the API and checking if logs are being generated in the specified CloudWatch Logs group.
Note: It may take a few minutes for the changes to take effect and for logs to appear in the designated CloudWatch Logs group.
By following these steps, you will successfully enable logging for the API Gateway stage, aligning with the NIST 800-53 Revision 5 security requirements.