Description
AWS API Gateway APIs should have access logging configured and enabled. Access logging records request and response data such as IP addresses, request methods, and user agents in Amazon CloudWatch Logs, creating a centralized location to analyze API usage and detect suspicious activity.
Rationaleβ
Enabling access logging for API Gateway is essential for monitoring API usage patterns, debugging issues, and meeting compliance requirements. Access logs provide a crucial data source for identifying unusual patterns, tracking specific actions, and establishing accountability by capturing the details of each API call.
Impactβ
If API Gateway access logging is not enabled, it may lead to insufficient visibility into API interactions, hindering timely detection of security breaches or misconfigurations. It can also impair root cause analysis for performance or functional issues, creating obstacles in incident response and remediation.
Enabling access logging may increase logging costs and require additional data management.
Auditβ
This policy marks an API Gateway API as INCOMPLIANT if the API Gateway Stage Access Logging Destination ARN field is empty, indicating access logs are not enabled.
It is also marked INCOMPLIANT if the Access Logging Destination field is empty or if the log destination resource has been deleted, indicating that the API Gateway Stage might be referencing an inactive access logs destination.