Description:
Enabling access logging in API Gateway V2 allows you to track and monitor API usage. This information can be used to identify potential security threats, troubleshoot performance issues, and improve the overall user experience.

Rationale:
Access logging is a critical security measure that can help you protect your APIs from unauthorized access and malicious activity. By tracking who is accessing your APIs and what they are doing, you can identify potential threats and take steps to mitigate them. Additionally, access logs can be used to troubleshoot performance issues and improve the overall user experience.

Impact:
Enabling access logging in API Gateway V2 has no negative impact on API performance. In fact, it can actually help to improve performance by providing you with the information you need to identify and fix performance bottlenecks.

Default Value:
By default, access logging is not enabled in API Gateway V2. You must explicitly enable it if you want to track and monitor API usage.

Pre-requisites:

  • You must have an AWS account and be logged in to the AWS Management Console.
  • You must have the appropriate permissions to enable access logging in API Gateway V2.

Remediation Steps:
To remediate the issue of access logging not being enabled in API Gateway V2, you can follow these steps:

  1. Go to the AWS Management Console and sign in to your account.
  2. Click on the API Gateway service.
  3. Click on the name of the API that you want to enable access logging for.
  4. Click on the Stages tab.
  5. Select the stage that you want to enable access logging for.
  6. Click on the Logs/Tracing tab.
  7. Under Custom Access Logging, select the Enable Access Logging check box.
  8. Enter the ARN of the CloudWatch log group where you want to store the access logs.
  9. Click on the Save button.


Test Plan:
To test whether access logging is enabled in API Gateway V2, you can follow these steps:

  1. Make a call to the API that you enabled access logging for.
  2. Check the CloudWatch log group that you specified in step 8 to see if there are any access logs for the call that you made.


Implementation Plan:
The following are the steps involved in implementing the policy of ensuring that API Gateway V2 has access logging enabled:

  1. Identify all of the APIs that need access logging enabled.
  2. Enable access logging for each of the identified APIs.
  3. Test to make sure that access logging is working properly.
  4. Document the process for enabling and disabling access logging.

AWS CLI Process:
To enable access logging in API Gateway V2 using the AWS CLI, you can use the following command:

aws apigateway update-stage --rest-api-id <rest_api_id> --stage-name <stage_name> --access-log-settings file=file://path/to/log_file.json

The log_file.json file should contain the following JSON:

{  "destinationArn": "arn:aws:logs:us-west-2:123456789012:log-group:/my-api/access-logs",  "format": "CLF" }


Using AWS GUI:
To enable access logging in API Gateway V2 using the AWS GUI, you can follow these steps:

  1. Go to the AWS Management Console and sign in to your account.
  2. Click on the API Gateway service.
  3. Click on the name of the API that you want to enable access logging for.
  4. Click on the Stages tab.
  5. Select the stage that you want to enable access logging for.
  6. Click on the Logs/Tracing tab.
  7. Under Custom Access Logging, select the Enable Access Logging check box.
  8. Enter the ARN of the CloudWatch log group where you want to store the access logs.
  9. Click on the Save button


Backout Plan

  1. Go to the API Gateway console.
  2. Find the API that you enabled access logging for.
  3. On the Stage Editor pane, choose the Logs/Tracing tab.
  4. Under Custom Access Logging, uncheck the Enable Access Logging check box.
  5. Click Save Changes.


Note

  • This will disable access logging for the specified API.
  • If you have any CloudWatch alarms or metrics that are based on the access logs, you will need to update them accordingly.


Reference

https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html