Profile Applicability:

  • Level 1

Description:

API Gateway enables you to create, publish, and manage APIs for your applications. Logging in API Gateway captures data about the requests made to the API, including request and response details, response time, status codes, and more. By enabling logging, you can ensure that there is a comprehensive audit trail for all API calls. This SOP ensures that logging is enabled for API Gateway stages to capture critical information for monitoring, debugging, and compliance purposes.

Rationale:

Enabling API Gateway logging allows you to:

  • Track API usage: Understand the traffic patterns and monitor the behavior of API consumers.

  • Debugging: Quickly identify and troubleshoot issues by reviewing detailed logs, including request and response information, error messages, and more.

  • Audit and Compliance: Logs serve as an audit trail for monitoring API access and usage, which is essential for compliance with security standards such as SOC 2, PCI-DSS, and HIPAA.

  • Performance Metrics: Helps to collect metrics like request latency, status codes, and bottlenecks, which can be crucial for performance optimization.

Impact:

Pros:

  • Enhanced Monitoring: Logs provide visibility into API calls, helping with debugging and performance optimization.

  • Improved Troubleshooting: Detailed logs aid in quickly pinpointing issues, reducing downtime.

  • Security and Compliance: Logs provide a way to track access and ensure that only authorized requests are made, meeting compliance requirements.

Cons:

  • Storage Costs: Storing logs in CloudWatch may lead to additional costs based on the volume of logs generated.

  • Performance Overhead: Enabling logging may introduce slight performance overhead due to the extra data capture.

Default Value:

By default, API Gateway logging is disabled for stages. It must be explicitly enabled to start capturing logs for requests and responses.

Pre-requisites:

  • IAM Permissions to view and modify API Gateway settings:

    • apigateway:GET

    • apigateway:PUT

    • logs:CreateLogGroup

    • logs:CreateLogStream

    • logs:PutLogEvents

  • CloudWatch Logs should be set up to store the API logs.

  • API Gateway Stage created and accessible.

Remediation:

Test plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to API Gateway under Services.

  3. In the API Gateway Console, select the API you want to check.

  4. In the API Resources section, select the Stage for which you want to verify logging.

  5. Under the Stage Editor, scroll down to the Logs/Tracing section.

  6. Ensure that Enable CloudWatch Logs is checked.

    • If not checked, check the Enable CloudWatch Logs option.

    • Set the Log Level to INFO, ERROR, or ALL depending on the level of detail you need.

  7. Ensure that CloudWatch Log Group is set to an appropriate log group.

  8. Save the changes and redeploy the API if necessary.

Using AWS CLI:

To check if logging is enabled for a specific API stage, run:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'stageDescription.accessLogSetting'

If logging is not enabled, you can enable it using the following command

aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/accessLogSetting,value='{"destinationArn":"arn:aws:logs:<region>:<account-id>:log-group:<log-group-name>","format":"$context.requestId"}'

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to API Gateway.

  2. In the API Gateway Console, select the API for which you want to enable logging.

  3. Under API Resources, select the Stage to configure logging.

  4. In the Stage Editor, scroll down to the Logs/Tracing section.

  5. Check the box Enable CloudWatch Logs and set the Log Level (INFO, ERROR, or ALL).

  6. Ensure the Log Group is correct, and select the CloudWatch Log Group for storing logs.

  7. Save the changes and redeploy the API if necessary.

Using AWS CLI:

Check if logging is enabled for the stage using:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'stageDescription.accessLogSetting'

Enable logging by running the following command:

aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/accessLogSetting,value='{"destinationArn":"arn:aws:logs:<region>:<account-id>:log-group:<log-group-name>","format":"$context.requestId"}'

After enabling logging, verify the logging configuration

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'stageDescription.accessLogSetting'

Backout Plan:

Using AWS Console:

  1. If enabling logging causes issues (e.g., performance problems or incorrect logging configuration), navigate back to the Stage Editor in the API Gateway Console.
  2. Uncheck Enable CloudWatch Logs to disable logging.
  3. Save changes and redeploy the API if necessary.

Using AWS CLI:

If the change causes issues, disable logging using:

aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/accessLogSetting,value='{}'

Verify the logging has been disabled by running:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'stageDescription.accessLogSetting'

Note:

  • Log Formatting: You can customize the log format by specifying additional context variables (e.g., $context.requestId$context.status) to capture more detailed information.

  • CloudWatch Log Group: Make sure that the CloudWatch Log Group exists and that you have the correct permissions to write logs to it.

  • Performance Monitoring: After enabling logging, monitor the CloudWatch Logs for performance-related issues. You can adjust the log level if unnecessary details are being logged.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

6.1

Ensure appropriate authentication and authorization controls are implemented for API endpoints.

v8

6.4

Implement security controls to protect sensitive applications and data from unauthorized access.

v8

14.3

Enforce security and authentication for API gateways to limit access to valid requests.