Skip to main content

πŸ“ AWS API Gateway API Access Logging in CloudWatch is not enabled 🟒

  • Contextual name: πŸ“ API Access Logging in CloudWatch is not enabled 🟒
  • ID: /ce/ca/aws/apigateway/api-access-logging
  • Located in: πŸ“ AWS API Gateway

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-d75f6d86

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-d75f6d861

Logic​

Description​

Open File

Description​

It is recommended for AWS API Gateway APIs to have access logging configured and enabled. Access logging records request and response data such as IP addresses, request methods, and user agents in Amazon CloudWatch Logs, creating a centralized location to analyze API usage and detect suspicious activity.

Rationale​

Enabling access logging for API Gateway in AWS is essential for monitoring API usage patterns, debugging issues, and meeting compliance requirements. Access logs provide a crucial data source for identifying unusual patterns, tracking specific actions, and establishing accountability by capturing the specifics of each API call.

Impact​

If API Gateway access logging is not enabled, it may lead to insufficient visibility into API interactions, hindering timely detection of security breaches or misconfigurations. It can also impair root cause analysis for performance or functional issues, creating obstacles in incident response and remediation.

Enabling access logging could introduce an increase in logging costs and require additional data management.

... see more

Remediation​

Open File

Remediation​

Prerequisites​

To enable CloudWatch Logs, grant API Gateway permission to read and write logs to CloudWatch in your account. The managed policy AmazonAPIGatewayPushToCloudWatchLogs (ARN: arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs) provides the necessary permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents",
                "logs:GetLogEvents",
                "logs:FilterLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

To set up these permissions:

  1. Create an IAM role with apigateway.amazonaws.com as the trusted entity.
  2. Attach the above policy to the IAM role.
  3. Set the IAM role ARN in the cloudWatchRoleArn property of your Account. Note that you must configure the cloudWatchRoleArn separately for each AWS Region where you wish to enable CloudWatch Logs.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 8 For accountability purposes, a regulated entity would typically ensure that users and information assets are uniquely identified and their actions are logged at a sufficient level of granularity to support information security monitoring processes.22
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1821
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67d logging and alerting of access to sensitive data or unsuccessful logon attempts to identify potential unauthorised access;11
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. audit logging and monitoring of access to information assets by all users;78
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.9] Access logging should be configured for API Gateway V2 Stages11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)723
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)120
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(4) Central Review and Analysis (H)6
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-10 Non-repudiation (H)5
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)247
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)28
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)421
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4648
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)6
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)6
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)18
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)23
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)120
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)28
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)217
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources26
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-02: The physical environment is monitored to find potentially adverse events8
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events27
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked24
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(26) Information Flow Enforcement _ Audit Filtering Actions7
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1516
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging46
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3 Content of Audit Records31320
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-10 Non-repudiation55
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44547
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring68
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81521
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic7
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events6
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.1
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.2 Logs of all other system components are reviewed periodically.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.2 Logs of all other system components are reviewed periodically.11