Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Api Gateway Stage Logging Enabled Rule

This rule ensures that API Gateway stage logging is enabled for Protect (PR) benchmark.

RuleAPI Gateway stage logging should be enabled
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
High

Rule Description

The API Gateway stage logging should be enabled to comply with the NIST Cybersecurity Framework (CSF) v1. Enabling stage logging ensures that all request and response data in the API Gateway stage is logged for improved monitoring, troubleshooting, and security analysis.

Enabling stage logging provides valuable insights into the behavior of your API, helps in identifying potential security threats, and allows for analyzing API traffic patterns.

Troubleshooting Steps

If you encounter any issues while enabling stage logging, follow the troubleshooting steps below:

  2. 1.
    Make sure you have the necessary permissions to modify API Gateway settings in your AWS account.
  4. 2.
    Verify that your API Gateway is in a proper state and not experiencing any disruptions or errors.
  6. 3.
    If you are using a custom domain name, ensure that the DNS configurations are correctly set up.
  8. 4.
    Review the API Gateway logs for any error messages or possible reasons for the issue.
  10. 5.
    Check if there are any conflicting configurations or policies that might prevent the enabling of stage logging.
  12. 6.
    Ensure that you are using the correct API Gateway endpoint URL for making requests.

Code Example

To enable stage logging for the API Gateway, you can use the AWS Command Line Interface (CLI). Below is an example command:

aws apigateway update-stage --rest-api-id YOUR_REST_API_ID --stage-name YOUR_STAGE_NAME --patch-operations op=replace,path=/logging/dataTrace,value=true

Replace 

YOUR_REST_API_ID
with the ID of the target REST API and 
YOUR_STAGE_NAME
with the name of the API Gateway stage where you want to enable stage logging.

Ensure that you have the AWS CLI installed and configured with the necessary credentials and region before executing the command.

Remediation Steps

To enable API Gateway stage logging using the AWS Management Console, follow the step-by-step guide below:

  2. 1.
    Open the AWS Management Console and navigate to the API Gateway service.
  4. 2.
    Select the target REST API from the list of available APIs.
  6. 3.
    In the left navigation pane, click on the "Stages".
  8. 4.
    Select the desired stage where you want to enable stage logging.
  10. 5.
    Click on the "Logs/Tracing" tab in the stage details.
  12. 6.
    Under the "CloudWatch Settings" section, click on the "Edit" button.
  14. 7.
    Enable the checkbox for "Enable CloudWatch Logs" to enable stage logging.
  16. 8.
    Optionally, you can also enable "Log full requests/responses data" and "Enable data tracing" for more detailed logging.
  18. 9.
    Click on the "Save Changes" button to apply the configuration.
  20. 10.
    Wait for a few moments for the changes to take effect.

After completing these steps, the stage logging for the API Gateway will be enabled, and all request and response data will be logged for the NIST Cybersecurity Framework (CSF) v1 compliance.

Remember to repeat these steps for each stage of your API Gateway if you have multiple stages requiring stage logging.

Is your System Free of Underlying Vulnerabilities?
Find Out Now