Ensure API Gateway stage have logging level defined appropriately

Error: API Gateway stage does not have logging level defined appropriately

Bridgecrew Policy ID: BC_AWS_LOGGING_29
Checkov Check ID: CKV2_AWS_4
Severity: LOW

API Gateway stage does not have logging level defined appropriately

Description

It is generally a good practice to define the logging level for your API Gateway stages appropriately because it allows you to capture and review detailed information about the requests and responses handled by your API. This can be especially useful for debugging issues, analyzing the usage patterns of your API, and identifying potential performance bottlenecks.

By default, the logging level for API Gateway stages is set to "OFF", which means that no logs are generated. You can choose to enable logging at the "ERROR" level, which will capture only log entries that correspond to error responses generated by your API. Alternatively, you can enable logging at the "INFO" level, which will capture log entries for both error responses and successful requests.

Fix - Buildtime

Terraform

  • Resources: aws_api_gateway_rest_api, aws_api_gateway_deployment, aws_api_gateway_method_settings
resource "aws_api_gateway_rest_api" "ok_example" {
  body = jsonencode({
    openapi = "3.0.1"
    info = {
      title   = "ok_example"
      version = "1.0"
    }
    paths = {
      "/path1" = {
        get = {
          x-amazon-apigateway-integration = {
            httpMethod           = "GET"
            payloadFormatVersion = "1.0"
            type                 = "HTTP_PROXY"
            uri                  = "https://ip-ranges.amazonaws.com/ip-ranges.json"
          }
        }
      }
    }
  })

  name = "ok_example"
}

resource "aws_api_gateway_deployment" "ok_example" {
  rest_api_id = aws_api_gateway_rest_api.ok_example.id

  triggers = {
    redeployment = sha1(jsonencode(aws_api_gateway_rest_api.ok_example.body))
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_api_gateway_stage" "ok_example" {
  deployment_id = aws_api_gateway_deployment.ok_example.id
  rest_api_id   = aws_api_gateway_rest_api.ok_example.id
  stage_name    = "ok_example"
}

resource "aws_api_gateway_method_settings" "all" {
  rest_api_id = aws_api_gateway_rest_api.ok_example.id
  stage_name  = aws_api_gateway_stage.ok_example.stage_name
  method_path = "*/*"

  settings {
    metrics_enabled = true
    logging_level   = "ERROR"
  }
}