Ensure API Gateway V2 has Access Logging enabled
When you enable Access Logging option in API Gateway, it allows delivery of logs to CloudWatch Logs.These logs can be analyzed using CloudWatch Logs Insights and help to monitor your API's performance.
Risk Level: Low
Cloud Entity: AWS ApiGatewayV2 Stage
CloudGuard Rule ID: D9.CFT.LOG.15
Covered by Spectral: Yes
Category: Management Tools
GSL LOGIC
AWS_ApiGatewayV2_Stage should have AccessLogSettings.DestinationArn
REMEDIATION
From CFT
Supply AWS::ApiGatewayV2::Stage::AccessLogSetting::DestinationArn property with value of LogGroupARN.
See below example template;
Resources:
MyApi:
Type: AWS::ApiGatewayV2::Stage
Properties:
...
AccessLogSettings:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
...
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-stage.html
- https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging.html
AWS ApiGatewayV2 Stage
The AWS::ApiGatewayV2::Stage resource specifies a stage for an API. Each stage is a named reference to a deployment of the API and is made available for client applications to call.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago