DESCRIPTION:
Enabling the custom access logging option in API Gateway allows delivery of custom logs to Cloud Watch Logs, which can be analyzed using Cloud Watch Logs Insights. Using custom domain names in Amazon API Gateway allows insights into requests sent to each custom domain name. If there is more than one custom domain name mapped to a single API, understanding the quantity and type of requests by domain name may help understand request patterns.
RATIONALE:
Access logs contain details about who accessed your API and how they accessed it. which can also be used for troubleshooting API errors.
IMPACT :
API Gateway Access Logs are disabled by default and need to be enabled on AWS. It easily monitors the resources that we are using. Flexible in security control.
DEFAULT VALUE :
API Gateway Access logs are disabled.
PREREQUISITES:
Sign in as admin or IAM user with required permissions
Before the follow the implementation steps you must have an API gateway that is deployed.
REMEDIATION:
TEST PLAN:
Log on to the AWS management console
Go to Amazon API console https://console.aws.amazon.com/apigateway
In the APIs pane
Choose the API which one we want to examine
Click on the Stages
- Click on Logs/Tracing
- Check whether Enable Access Logging is checked/unchecked.
Using AWS CLI:
The above command will provide the API stages of it’s kind.
aws apigateway get-stages --region us-east-1 --rest-api-id <api_id>
IMPLEMENTATION:
Sign in to AWS MANAGEMENT CONSOLE.
Go to the API Gateway console https://console.aws.amazon.com/apigateway
Click on APIs, in the left navigation pane
Choose the API you want to enable the Logging.
In the navigation panel, in the API submenu, click Stages to list the stages created for the selected API.
In LOGS/TRACING tab, check to ENABLE ACCESS ENABLE check the box to enable
- Copy the ARN of the cloud watch which was created earlier for API GATEWAY and gives all the access for API gateway
Paste ARN of the role. click on save and Click on JSON
- Click on save changes.
aws apigateway update-stage --region <value> --rest-api-id <value> --stage-name '<value>' --patch-operations op=replace,path=/*/*/logging/loglevel,value=INFO op=replace,path=/*/*/logging/dataTrace,value=true
BACKOUT PLAN :
Login to AWS Management Console
Go to the Amazon API Gateway console a https://console.aws.amazon.com/apigatewa
Choose API
In the navigation panel, in the API submenu, click Stages to list the stages created for the selected API.
In the Logs/Tracing tab click on uncheck the box to disable
Click on the Save changes button
aws apigateway update-stage --region <value> --rest-api-id <value> --stage-name '<value>' --patch-operations op=replace,path=/*/*/logging/loglevel,value=INFO op=replace,path=/*/*/logging/dataTrace,value=false