🛡️ AWS API Gateway API Access Logging in CloudWatch is not enabled🟢

Contextual name: 🛡️ API Access Logging in CloudWatch is not enabled🟢
ID: /ce/ca/aws/apigateway/api-access-logging
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟠🟢
- 📗 AWS API Gateway API
- 🧪 test-data.json

Similar Policies

Internal: dec-x-d75f6d86

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-d75f6d86	1

Description

Open File

Description

It is recommended for AWS API Gateway APIs to have access logging configured and enabled. Access logging records request and response data such as IP addresses, request methods, and user agents in Amazon CloudWatch Logs, creating a centralized location to analyze API usage and detect suspicious activity.

Rationale

Enabling access logging for API Gateway in AWS is essential for monitoring API usage patterns, debugging issues, and meeting compliance requirements. Access logs provide a crucial data source for identifying unusual patterns, tracking specific actions, and establishing accountability by capturing the specifics of each API call.

Impact

If API Gateway access logging is not enabled, it may lead to insufficient visibility into API interactions, hindering timely detection of security breaches or misconfigurations. It can also impair root cause analysis for performance or functional issues, creating obstacles in incident response and remediation.

Enabling access logging could introduce an increase in logging costs and require additional data management.

... see more

Remediation

Open File

Remediation

Prerequisites

To enable CloudWatch Logs, grant API Gateway permission to read and write logs to CloudWatch in your account. The managed policy AmazonAPIGatewayPushToCloudWatchLogs (ARN: arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs) provides the necessary permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents",
                "logs:GetLogEvents",
                "logs:FilterLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
To set up these permissions:

Create an IAM role with apigateway.amazonaws.com as the trusted entity.

Attach the above policy to the IAM role.

Set the IAM role ARN in the cloudWatchRoleArn property of your Account. Note that you must configure the cloudWatchRoleArn separately for each AWS Region where you wish to enable CloudWatch Logs.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 8 For accountability purposes, a regulated entity would typically ensure that users and information assets are uniquely identified and their actions are logged at a sufficient level of granularity to support information security monitoring processes.		2	2	no data
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		19	22	no data
💼 APRA CPG 234 → 💼 67d logging and alerting of access to sensitive data or unsuccessful logon attempts to identify potential unauthorised access;		2	2	no data
💼 APRA CPG 234 → 💼 h. audit logging and monitoring of access to information assets by all users;		8	9	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.9] Access logging should be configured for API Gateway V2 Stages		1	1	no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			72	no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	28	no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			23	no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		34	no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			13	no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			13	no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			12	no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		70	no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		22	no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		37	no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	53	no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			23	no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			20	no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			70	no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		22	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			28	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			23	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		34	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			13	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			70	no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		22	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		21	no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			45	no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			60	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			170	no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			22	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			95	no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			45	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			170	no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			37	no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			51	no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			52	no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			41	no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			41	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			14	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		23	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	34	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			13	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			13	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		12	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	70	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		22	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	17	37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			29	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			13	no data
💼 PCI DSS v3.2.1 → 💼 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.			7	no data
💼 PCI DSS v4.0.1 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		7	no data
💼 PCI DSS v4.0 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		7	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Remediation​

Remediation​

Prerequisites​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Remediation

Remediation

Prerequisites

policy.yaml

Linked Framework Sections