Enable API Gateway Stage Logging Rule
This rule requires enabling logging for API Gateway stages.
| Rule | API Gateway stage logging should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Ensuring API Gateway Stage Logging is Enabled for NIST 800-53 Rev 5 Compliance
Introduction
NIST 800-53 Revision 5 is a set of standards and guidelines that aim to improve the security and privacy of federal information systems. AWS API Gateway should have logging enabled for all stages to comply with these regulations, providing a clear record of API transactions and facilitating effective monitoring and forensics.
Detailed Rule Description
Under NIST 800-53 Rev 5, organizations are required to generate audit records for certain events, to help in detecting, understanding, or limiting the impact of potential security incidents. For API Gateway, this translates to ensuring that logging is set up for all stages.
Remediation Steps
Enabling Access Logging in AWS API Gateway
1. Identify API Stages without Logging
First, check which API Gateway stages do not have logging enabled. This can be done via AWS Management Console or through AWS CLI.
AWS CLI Command:
aws apigateway get-stages --rest-api-id <rest_api_id>
2. Enable CloudWatch Logs
Logging in API Gateway is usually sent to Amazon CloudWatch Logs. Ensure that you have the required permissions to create and write to CloudWatch Logs.
AWS IAM Policy to Allow CloudWatch Logs Creation
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": "*"
}
]
}
3. Enable Access Logging for the Stage
Access logging can be configured using the AWS Management Console or through the AWS CLI.
AWS CLI Command:
aws apigateway update-stage --rest-api-id <rest_api_id> --stage-name <stage_name> --patch-operations '[{ "op": "replace", "path": "/*/*/logging/loglevel", "value": "INFO" }]'
4. Verify the Logging
Ensure that logs are being created and record data is being populated appropriately. You can manually invoke API calls and check for corresponding logs in CloudWatch to confirm.
AWS CLI Command to Check Logs:
aws logs filter-log-events --log-group-name <API-Gateway-Log-Group>
Troubleshooting Steps
- Permission Issues: If logging can't be enabled, make sure the IAM role or user has the necessary permissions.
- Misconfiguration: Verify the correct log group ARN and format of the log data are used in the configuration.
- Resource Limits: Ensure that the account limits for CloudWatch Logs are not being exceeded.
Supporting AWS CLI Commands
List APIs
List all available APIs to identify their respective IDs:
aws apigateway get-rest-apis
Check Account Limits
Check CloudWatch Logs limits:
aws logs describe-resource-policies
Update IAM Policy
Apply an IAM policy to a user, group, or role to provide necessary permissions:
AWS CLI Command:
aws iam put-user-policy --user-name <user_name> --policy-name <policy_name> --policy-document file://policy.json
or
aws iam attach-role-policy --role-name <role_name> --policy-arn <policy_arn>
Creating a Log Group in CloudWatch
In case a log group needs to be created:
aws logs create-log-group --log-group-name <API-Gateway-Log-Group>
Conclusion
By following these detailed instructions, you can achieve compliance with NIST 800-53 Rev 5 concerning API Gateway stage logging. Ensure continuous monitoring and regular checks to maintain the setup's effectiveness and adjust configurations as needed.
As for SEO, this guide is concise and uses targeted keywords to help improve search engine visibility, without unnecessary filler content. The step-by-step format and inclusion of commands make it a valuable resource for both SEO and practical use.