Ensure API Gateway V2 has Access Logging enabled

When you enable Access Logging option in API Gateway, it allows delivery of logs to CloudWatch Logs.These logs can be analyzed using CloudWatch Logs Insights and help to monitor your API's performance.

Suggest Edits

Risk Level: Low
Cloud Entity: AWS ApiGatewayV2 Stage
CloudGuard Rule ID: D9.CFT.LOG.15
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

AWS_ApiGatewayV2_Stage should have AccessLogSettings.DestinationArn

REMEDIATION

From CFT
Supply AWS::ApiGatewayV2::Stage::AccessLogSetting::DestinationArn property with value of LogGroupARN.
See below example template;

Resources:
MyApi:
Type: AWS::ApiGatewayV2::Stage
Properties:
...
AccessLogSettings:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-stage.html
  2. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging.html

AWS ApiGatewayV2 Stage

The AWS::ApiGatewayV2::Stage resource specifies a stage for an API. Each stage is a named reference to a deployment of the API and is made available for client applications to call.

Compliance Frameworks

  • AWS CloudFormation ruleset

Updated 7 months ago