Ensure API Gateway has access logging enabled

Error: API Gateway does not have access logging enabled

Bridgecrew Policy ID: BC_AWS_LOGGING_17
Checkov Check ID: CKV_AWS_76
Severity: LOW

API Gateway does not have access logging enabled

Description

Enabling the custom access logging option in API Gateway allows delivery of custom logs to CloudWatch Logs, which can be analyzed using CloudWatch Logs Insights. Using custom domain names in Amazon API Gateway allows insights into requests sent to each custom domain name. If there is more than one custom domain name mapped to a single API, understanding the quantity and type of requests by domain name may help understand request patterns.

Fix - Runtime

AWS Console

Procedure:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the Amazon API Gateway console.
  3. Find the Stage Editor for your API.
  4. On the Stage Editor pane, choose the Logs/Tracing tab.
  5. On the Logs/Tracing tab, under CloudWatch Settings, do the following to enable execution logging.
  6. Select the Enable CloudWatch Logs check box.
  7. For Log level, choose INFO to generate execution logs for all requests. Or, choose ERROR to generate execution logs only for requests to your API that result in an error.
  8. Select the Log full requests/responses data check box for a REST API. Or, select the Log full message data check box for a WebSocket API.
  9. Under Custom Access Logging, select the Enable Access Logging check box.
  10. For Access Log Destination ARN, enter the ARN of a CloudWatch log group or an Amazon Kinesis Data Firehose stream.
  11. Enter a Log Format. For guidance, you can choose CLF, JSON, XML, or CSV to see an example in that format.
  12. Click Save Changes.

Fix - Buildtime

Terraform

  • Resource: aws_api_gateway_stage
  • Argument: access_log_settings - (Optional) Enables access logs for the API stage. Detailed below.
resource "aws_api_gateway_stage" "test" {
  ...
  stage_name    = "prod"
+ access_log_settings {
+   destination_arn = "${aws_cloudwatch_log_group.example.arn}"
+   format          = "..."  
+  }
  ...
}

CloudFormation

  • Resource: AWS::ApiGateway::Stage
  • Argument: Properties.AccessLogSettings.DestinationArn
Resources:
  MyStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      ...
      AccessLogSetting:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:example-log-group'
        Format: "..."
     	...