Ensure API Gateway has Access Logging enabled

When you enable Access Logging option in API Gateway, it allows delivery of logs to CloudWatch Logs.These logs can be analyzed using CloudWatch Logs Insights and help to monitor your API's performance.

Risk Level: Low
Cloud Entity: AWS ApiGateway Stage
CloudGuard Rule ID: D9.CFT.LOG.14
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

AWS_ApiGateway_Stage should have AccessLogSetting.DestinationArn

REMEDIATION

From CFT
Supply AWS::ApiGateway::Stage::AccessLogSetting::DestinationArn with value of LogGroupARN.
See below example;

Resources:
MyApi:
Type: AWS::ApiGateway::Stage
Properties:
...
AccessLogSetting:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:example-log-group'
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-accesslogsetting
  2. https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html

AWS ApiGateway Stage

A stage is a named reference to a deployment, which is a snapshot of the API. You use a Stage to manage and optimize a particular deployment. For example, you can configure stage settings to enable caching, customize request throttling, configure logging, define stage variables, or attach a canary release for testing. The AWS::ApiGateway::Stage resource creates a stage for a deployment.

Compliance Frameworks

  • AWS CloudFormation ruleset