Detections
Analytics

Ensure CloudWatch Logs are enabled for AWS API Gateway Stage

MEDIUM

Description

Execution behavior at the API stage level can be missed due to disabled APIs in CloudWatch Logs.

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to API Gateway console.
  2. Choose a REST API.
  3. Choose Settings from the primary navigation panel and enter an ARN of an IAM role with appropriate permissions in CloudWatch log role ARN. You need to do this once.
  4. Do one of the following:
    a. Choose an existing API and then choose a stage.
    b. Create an API and deploy it to a stage.
  5. Choose Logs/Tracing in the Stage Editor.
  6. Choose Enable CloudWatch Logs under CloudWatch Settings.
  7. Select Save changes.

In Terraform -

  1. In the aws_api_gateway_stage resource, configure the access_log_settings block to contain a destination_arn (such as CloudWatch) and a format.

References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#access-log-settings

Policy Details

Rule Reference ID: AC_AWS_0012
CSP: AWS
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: aws_api_gateway_stage
Resource Category: Virtual Network
Resource Type: API Gateway

Frameworks