APIs CloudWatch Logs

Risk level: Medium (should be achieved)

Rule ID: AG-001

Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.

This rule can help you with the following compliance standards:

General Data Protection Regulation (GDPR)
APRA
MAS
NIST 800-53 (Rev. 4)

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Operational
excellence

Performance
efficiency

Once the logging is enabled, Amazon CloudWatch starts recording information about the API execution at the stage level and this information can be extremely useful for troubleshooting any issues that you might have with your APIs.

Audit

To determine if your API stages have AWS CloudWatch logs enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine then click on its name (link) to access the API details and configuration.

05 In the left navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Select the API stage that you want to examine.

07 On the API Stage Editor panel, select Logs tab to access the stage configuration settings.

08 In the CloudWatch Settings section, verify Enable CloudWatch Logs setting status. If Enable CloudWatch Logs checkbox is unchecked, AWS CloudWatch logs are not enabled for the selected API stage, therefore there are no access and debug logs generated for the current stage.

09 Repeat steps no. 6 – 8 to check the CloudWatch Logs settings for other API stages created for the selected API.

10 Repeat steps no. 4 – 8 to verify other AWS API Gateway APIs available within the current region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected region:

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the requested API IDs:

----------------
|  GetRestApis |
+--------------+
|  aaabbbcccd  |
|  dddeeefffg  |
|  bbbcccddde  |
|  eeefffgggh  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine and custom query filters to get information about the stages created for the selected API:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id aaabbbcccd

04 The command output should return the metadata for the existing API stages:

{
    "item": [
        {
            "stageName": "Development",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "deploymentId": "z0haur",
            "lastUpdatedDate": 1509558521,
            "createdDate": 1509558521,
            "methodSettings": {}
        },
        {
            "stageName": "Production",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "deploymentId": "z0haur",
            "lastUpdatedDate": 1509557971,
            "createdDate": 1509557971,
            "methodSettings": {}
        }
    ]
}

Each item object returned by the command output represents an API stage. Verify the information listed for each stage and if the methodSettings object returned for the specified stage does not contain a property (attribute) named loggingLevel, logging using Amazon CloudWatch is not enabled for the selected API stage. Repeat the current step to check the logging configuration for other API stages available for the selected API.

05 Repeat step no. 3 and 4 to verify other AWS API Gateway APIs created in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable AWS CloudWatch Logs for your Amazon API Gateway APIs, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open your APIs listing page.

04 Choose the API that you want to reconfigure (see Audit section part I to identify the right resource), then click on its name to access the API details and configuration.

05 In the left navigation panel, in the API submenu, click Stages to list the stages created for the selected API.

06 Select the API stage that you want to reconfigure.

07 On the API Stage Editor panel, select Logs tab to access the stage settings.

08 In the CloudWatch Settings section, perform the following:

Check Enable CloudWatch Logs setting checkbox to enable the feature.
Select INFO from the Log level dropdown list to set the appropriate level for logging stage data.
Check Log full requests/responses data option checkbox to record the full requests sent to API Gateway and the responses from the backend, including any transformations that might happen in your mapping template.

09 Click Save Changes to apply the configuration changes and enable CloudWatch logging for the selected stage. If you see a prompt warning message say "CloudWatch Logs role ARN must be set in account settings to enable logging", please follow below steps to create an IAM role for logging to CloudWatch.

On the IAM Create role page, choose AWS service and API Gateway that will use this role.
Under Attached permissions policies, note that the AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs is selected by default. This policy has all the required permissions.
Under Review, enter a meaningful name for the role. Then choose Create role
Copy the IAM role ARN that you created. In the API Gateway console left navigation panel, choose Settings. Paste the IAM role ARN to CloudWatch log role ARN field, then Save the configuration.

10 Repeat steps no. 6 – 9 to enable CloudWatch Logs for other API stages created for the selected API.

11 Repeat steps no. 4 – 10 to enable AWS CloudWatch logging for other APIs available within the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-stage command (OSX/Linux/UNIX) using the ID of the API and the name of the API stage that you want to reconfigure as identifiers to enable CloudWatch Logs for the selected API stage. The following command example enables CloudWatch logging (using INFO log level) for an API stage named "Development", created for an API identified by the ID "aaabbbcccd":

aws apigateway update-stage
	--region us-east-1
	--rest-api-id aaabbbcccd
	--stage-name 'Development'
	--patch-operations op=replace,path=/*/*/logging/loglevel,value=INFO op=replace,path=/*/*/logging/dataTrace,value=true

02 The command output should return the API stage metadata:

{
    "stageName": "Development",
    "cacheClusterSize": "0.5",
    "cacheClusterEnabled": false,
    "cacheClusterStatus": "NOT_AVAILABLE",
    "deploymentId": "z0haur",
    "lastUpdatedDate": 1509565398,
    "createdDate": 1509558521,
    "methodSettings": {
        "*/*": {
            "cacheTtlInSeconds": 300,
            "loggingLevel": "INFO",
            "dataTraceEnabled": true,
            "metricsEnabled": false,
            "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
            "throttlingRateLimit": 10000.0,
            "cacheDataEncrypted": false,
            "cachingEnabled": false,
            "throttlingBurstLimit": 5000,
            "requireAuthorizationForCacheControl": true
        }
    }
}

03 If you don't see "loggingLevel": "INFO" in "methodSettings", you will need to follow the steps 04 to 08 to create an IAM role for logging to CloudWatch. Otherwise please jump to step 08.

04 Create the necessary trust relationship (Trusted Entities) policy for the required IAM role. To create the trust relationship policy for the new role, paste the following information into a new policy document named cc-iam-role-trust-policy.json

        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "apigateway.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        }

05 Run iam create-role command (OSX/Linux/UNIX) to create the AWS IAM role using the trust relationship policy defined at the previous step:

      aws iam create-role
        --role-name cc-apigateway-cloudwatch-role
        --assume-role-policy-document file://cc-iam-role-trust-policy.json

06 Run iam attach-role-policy command to attach AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs to the role created at the previous step:

      aws iam attach-role-policy
        --role-name cc-apigateway-cloudwatch-role
        --policy-arn arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs

07 Run apigateway update-account command to attach the role created at the previous step:

      aws apigateway update-account
        --patch-operations op='replace',path='/cloudwatchRoleArn',value='arn:aws:iam::123456789012:role/cc-apigateway-cloudwatch-role'

08 Repeat step no. 1 and 2 to enable CloudWatch Logs for other API stages available for the specified API.

09 Repeat steps no. 1 – 3 to enable AWS CloudWatch logging for other APIs available within the current region.

10 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
apigateway
get-rest-apis
get-stages
update-stage

Publication date Nov 13, 2017

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

APIs CloudWatch Logs

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related APIGateway rules