Ensure CloudWatch Logs are enabled for AWS API Gateway Stage



Execution behavior at the API stage level can be missed due to disabled APIs in CloudWatch Logs.


In AWS Console -

  1. Sign in to the AWS console and go to API Gateway console.
  2. Choose a REST API.
  3. Choose Settings from the primary navigation panel and enter an ARN of an IAM role with appropriate permissions in CloudWatch log role ARN. You need to do this once.
  4. Do one of the following:
    a. Choose an existing API and then choose a stage.
    b. Create an API and deploy it to a stage.
  5. Choose Logs/Tracing in the Stage Editor.
  6. Choose Enable CloudWatch Logs under CloudWatch Settings.
  7. Select Save changes.

In Terraform -

  1. In the aws_api_gateway_stage resource, configure the access_log_settings block to contain a destination_arn (such as CloudWatch) and a format.


Policy Details

Rule Reference ID: AC_AWS_0012
Remediation Available: Yes
Resource Category: Virtual Network
Resource Type: API Gateway