Profile Applicability:

  • Level 1

Description:

API Gateway V2 allows you to manage and monitor HTTP, WebSocket, and other API services. Access logging provides detailed logs of API requests and responses, including headers, query parameters, and response times. Enabling Access Logging is critical for auditing, debugging, and ensuring that the API traffic is being monitored for security, performance, and troubleshooting purposes.

Rationale:

Enabling Access Logging for API Gateway V2 helps capture essential request and response information for security and operational monitoring. It assists with audit trails, troubleshooting, and performance analysis. Access logs can also help detect potential security incidents, unauthorized access attempts, or misuse of the API. Having Access Logging enabled ensures that you have a record of all interactions with your API, which is essential for compliance and security monitoring.

Impact:

Pros:

  • Security Monitoring: Logs all interactions with your API, which is useful for detecting malicious or unauthorized access attempts.

  • Operational Insights: Provides insights into the usage patterns, response times, and errors that can help optimize performance.

  • Compliance: Helps meet compliance requirements by keeping detailed access logs for auditing purposes.

  • Troubleshooting: Enables easier identification and resolution of issues in the API service.

Cons:

  • Storage Costs: Storing logs in CloudWatch Logs can incur additional storage costs.

  • Log Volume: A high volume of API requests can generate a large amount of log data, which may require management or filtering to ensure relevant information is captured.

Default Value:

By default, API Gateway V2 does not have Access Logging enabled. Access logging must be explicitly configured for each API stage to ensure that request and response data is logged to CloudWatch Logs.

Pre-requisite:

  • AWS IAM Permissions:

    • apigatewayv2:UpdateStage

    • logs:CreateLogGroup

    • logs:CreateLogStream

    • logs:PutLogEvents

  • AWS CLI installed and configured.

  • Familiarity with API Gateway V2, CloudWatch Logs, and IAM roles.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to API Gateway V2 under Services.

   

  1. In the API Gateway section, select APIs.

         

  1. Choose the API for which you want to check Access Logging.

   

  1. In the Stages section, select the stage you want to verify.

     

  1. Under the Logs/Tracing section, verify that Access Logging is enabled:

    • If Access Logging is enabled, a valid CloudWatch Log Group will be configured.

    • If Access Logging is not enabled, it will show as not configured.

     

  1. To enable Access Logging, click Edit and configure a CloudWatch Log Group and Log Format.

   

  1. Save the changes.

   

Using AWS CLI:

To check if Access Logging is enabled for a stage, use the following command:

aws apigatewayv2 get-stage --api-id <api-id> --stage-name <stage-name>

  1.  In the output, look for the Access Log Settings field:

    • If Access Log Settings is configured with a CloudWatch Log Group, Access Logging is enabled.

To enable Access Logging, use the following command:

aws apigatewayv2 update-stage --api-id <api-id> --stage-name <stage-name> --access-log-settings '{"destinationArn":"arn:aws:logs:<region>:<account-id>:log-group:<log-group>","format":"$context.identity.sourceIp - $context.identity.user"}'

 Replace the placeholders <region>, <account-id>, <log-group>, <api-id>, and <stage-name> with the appropriate values.


Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to API Gateway V2.

     

  1. Select APIs and choose the relevant API.

   

  1. Go to Stages and select the stage for which you want to enable logging.

   

  1. Under Logs/Tracing, click Edit.

 

  1. Enable Access Logging by selecting a CloudWatch Log Group and setting the desired log format.

     

Example log format:
$context.identity.sourceIp - $context.identity.user

  1. Save the changes.

Using AWS CLI:

To check the current Access Logging configuration:

aws apigatewayv2 get-stage --api-id <api-id> --stage-name <stage-name>

To enable Access Logging for a specific stage:

aws apigatewayv2 update-stage --api-id <api-id> --stage-name <stage-name> --access-log-settings '{"destinationArn":"arn:aws:logs:<region>:<account-id>:log-group:<log-group>","format":"$context.identity.sourceIp - $context.identity.user"}'

  1. Confirm that logging is enabled and that logs are being written to the specified CloudWatch Log Group.

Backout Plan:

If enabling Access Logging causes issues with API performance or log management:

  1. Identify the affected API Gateway V2 stage.

Revert the Access Logging configuration by setting the destination Arn to null:

aws apigatewayv2 update-stage --api-id <api-id> --stage-name <stage-name> --access-log-settings '{"destinationArn":null}'

  1. Verify that the API service is functioning as expected without access logging.

References:

CIS Controls Mapping:


version

Control ID

Control Description

IG1

IG2

IG3

     v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

     v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

      v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.