Open menu
-->

Enable AWS CloudWatch Logs for APIs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Operational
excellence
Performance
efficiency

Risk level: Medium (should be achieved)

Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.

Once the logging is enabled, Amazon CloudWatch starts recording information about the API execution at the stage level and this information can be extremely useful for troubleshooting any issues that you might have with your APIs.

Audit

To determine if your API stages have AWS CloudWatch logs enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine then click on its name (link) to access the API details and configuration.

05 In the left navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Select the API stage that you want to examine.

07 On the API Stage Editor panel, select Logs tab to access the stage configuration settings.

08 In the CloudWatch Settings section, verify Enable CloudWatch Logs setting status. If Enable CloudWatch Logs checkbox is unchecked, AWS CloudWatch logs are not enabled for the selected API stage, therefore there are no access and debug logs generated for the current stage.

09 Repeat steps no. 6 – 8 to check the CloudWatch Logs settings for other API stages created for the selected API.

10 Repeat steps no. 4 – 8 to verify other AWS API Gateway APIs available within the current region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected region:

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the requested API IDs:

----------------
|  GetRestApis |
+--------------+
|  aaabbbcccd  |
|  dddeeefffg  |
|  bbbcccddde  |
|  eeefffgggh  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine and custom query filters to get information about the stages created for the selected API:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id aaabbbcccd

04 The command output should return the metadata for the existing API stages:

{
    "item": [
        {
            "stageName": "Development",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "deploymentId": "z0haur",
            "lastUpdatedDate": 1509558521,
            "createdDate": 1509558521,
            "methodSettings": {}
        },
        {
            "stageName": "Production",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "deploymentId": "z0haur",
            "lastUpdatedDate": 1509557971,
            "createdDate": 1509557971,
            "methodSettings": {}
        }
    ]
}

Each item object returned by the command output represents an API stage. Verify the information listed for each stage and if the methodSettings object returned for the specified stage does not contain a property (attribute) named loggingLevel, logging using Amazon CloudWatch is not enabled for the selected API stage. Repeat the current step to check the logging configuration for other API stages available for the selected API.

05 Repeat step no. 3 and 4 to verify other AWS API Gateway APIs created in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable AWS CloudWatch Logs for your Amazon API Gateway APIs, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open your APIs listing page.

04 Choose the API that you want to reconfigure (see Audit section part I to identify the right resource), then click on its name to access the API details and configuration.

05 In the left navigation panel, in the API submenu, click Stages to list the stages created for the selected API.

06 Select the API stage that you want to reconfigure.

07 On the API Stage Editor panel, select Logs tab to access the stage settings.

08 In the CloudWatch Settings section, perform the following:

  1. Check Enable CloudWatch Logs setting checkbox to enable the feature.
  2. Select INFO from the Log level dropdown list to set the appropriate level for logging stage data.
  3. Check Log full requests/responses data option checkbox to record the full requests sent to API Gateway and the responses from the backend, including any transformations that might happen in your mapping template.

09 Click Save Changes to apply the configuration changes and enable CloudWatch logging for the selected stage.

10 Repeat steps no. 6 – 9 to enable CloudWatch Logs for other API stages created for the selected API.

11 Repeat steps no. 4 – 10 to enable AWS CloudWatch logging for other APIs available within the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-stage command (OSX/Linux/UNIX) using the ID of the API and the name of the API stage that you want to reconfigure as identifiers to enable CloudWatch Logs for the selected API stage. The following command example enables CloudWatch logging (using INFO log level) for an API stage named "Development", created for an API identified by the ID "aaabbbcccd":

aws apigateway update-stage
	--region us-east-1
	--rest-api-id aaabbbcccd
	--stage-name 'Development'
	--patch-operations op=replace,path=/*/*/logging/loglevel,value=INFO op=replace,path=/*/*/logging/dataTrace,value=true

02 The command output should return the API stage metadata:

{
    "stageName": "Development",
    "cacheClusterSize": "0.5",
    "cacheClusterEnabled": false,
    "cacheClusterStatus": "NOT_AVAILABLE",
    "deploymentId": "z0haur",
    "lastUpdatedDate": 1509565398,
    "createdDate": 1509558521,
    "methodSettings": {
        "*/*": {
            "cacheTtlInSeconds": 300,
            "loggingLevel": "INFO",
            "dataTraceEnabled": true,
            "metricsEnabled": false,
            "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
            "throttlingRateLimit": 10000.0,
            "cacheDataEncrypted": false,
            "cachingEnabled": false,
            "throttlingBurstLimit": 5000,
            "requireAuthorizationForCacheControl": true
        }
    }
}

03 Repeat step no. 1 and 2 to enable CloudWatch Logs for other API stages available for the specified API.

04 Repeat steps no. 1 – 3 to enable AWS CloudWatch logging for other APIs available within the current region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Nov 13, 2017