Ensure API Gateway V2 has Access Logging enabled

Error: AWS API Gateway V2 has Access Logging is disabled
Bridgecrew Policy ID: BC_AWS_LOGGING_30
Checkov Check ID: CKV_AWS_95
Severity: Low

AWS API Gateway V2 has Access Logging is disabled

Description

Enabling the custom access logging option in API Gateway allows delivery of custom logs to CloudWatch Logs, which can be analyzed using CloudWatch Logs Insights. Using custom domain names in Amazon API Gateway allows insights into requests sent to each custom domain name. If there is more than one custom domain name mapped to a single API, understanding the quantity and type of requests by domain name may help understand request patterns.

Fix - Runtime

AWS Console

Procedure:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the Amazon API Gateway console.
  3. Find the Stage Editor for your API.
  4. On the Stage Editor pane, choose the Logs/Tracing tab.
  5. On the Logs/Tracing tab, under CloudWatch Settings, do the following to enable execution logging.
  6. Select the Enable CloudWatch Logs check box.
  7. For Log level, choose INFO to generate execution logs for all requests. Or, choose ERROR to generate execution logs only for requests to your API that result in an error.
  8. Select the Log full requests/responses data check box for a REST API. Or, select the Log full message data check box for a WebSocket API.
  9. Under Custom Access Logging, select the Enable Access Logging check box.
  10. For Access Log Destination ARN, enter the ARN of a CloudWatch log group or an Amazon Kinesis Data Firehose stream.
  11. Enter a Log Format. For guidance, you can choose CLF, JSON, XML, or CSV to see an example in that format.
  12. Click Save Changes.

Fix - Buildtime

CloudFormation

  • Resource: AWS:: AWS::ApiGatewayV2::Stage
  • Argument: AccessLogSettings
MyStage:
  Type: 'AWS::ApiGatewayV2::Stage'
  Properties:
    StageName: Prod
    Description: Prod Stage
    DeploymentId: !Ref MyDeployment
    ApiId: !Ref CFNWebSocket
    DefaultRouteSettings:
      DetailedMetricsEnabled: true
      LoggingLevel: INFO
      DataTraceEnabled: false
      ThrottlingBurstLimit: 10
      ThrottlingRateLimit: 10
  +  AccessLogSettings:
      DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
      Format: >-
        {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
        "caller":"$context.identity.caller",
        "user":"$context.identity.user","requestTime":"$context.requestTime",
        "eventType":"$context.eventType","routeKey":"$context.routeKey",
        "status":"$context.status","connectionId":"$context.connectionId"}

Did this page help you?