Skip to main content

πŸ›‘οΈ AWS API Gateway API Execution Logging in CloudWatch is not enabled🟒

  • Contextual name: πŸ›‘οΈ API Execution Logging in CloudWatch is not enabled🟒
  • ID: /ce/ca/aws/apigateway/api-execution-logging
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: PERFORMANCE, RELIABILITY

Logic​

Similar Policies​

  • Internal: dec-x-2ac6c302

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-2ac6c3021

Description​

Open File

Description​

AWS API Gateway APIs should have execution logging enabled in CloudWatch to support effective monitoring and troubleshooting. Enabling execution logging in CloudWatch provides insight into API requests, error rates, and latency, helping detect and respond to issues promptly.

Rationale​

Enabling API execution logging in CloudWatch helps monitor API usage and performance, as well as identify and troubleshoot issues in real-time. It enhances visibility into API traffic patterns, execution errors, and latencies, facilitating better management of APIs.

Impact​

Enabling CloudWatch logging may increase CloudWatch costs due to additional logging data.

Audit​

This policy marks an AWS API Gateway API as INCOMPLIANT if the CloudWatch Logging Level field in a related API Stage object is either empty or set to OFF.

For API Gateway HTTP APIs (identified by the Protocol Type field set to HTTP), the policy object is marked as INAPPLICABLE because HTTP APIs do not support execution logging.

Remediation​

Open File

Remediation​

Prerequisites​

To enable CloudWatch Logs, grant API Gateway permission to read and write logs to CloudWatch in your account. The managed policy AmazonAPIGatewayPushToCloudWatchLogs (ARN: arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs) provides the necessary permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents",
                "logs:GetLogEvents",
                "logs:FilterLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

To set up these permissions:

  1. Create an IAM role with apigateway.amazonaws.com as the trusted entity.
  2. Attach the above policy to the IAM role.
  3. Set the IAM role ARN in the cloudWatchRoleArn property of your Account. Note that you must configure the cloudWatchRoleArn separately for each AWS Region where you wish to enable CloudWatch Logs.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. audit logging and monitoring of access to information assets by all users;89no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled11no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration77no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)26no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)137no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)16no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(4) Central Review and Analysis (H)16no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-10 Non-repudiation (H)15no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)273no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)227no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4856no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)26no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)23no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)73no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)127no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)26no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)137no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)16no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)73no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)227no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities50no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources65no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events180no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-02: The physical environment is monitored to find potentially adverse events27no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events100no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events50no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations45no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties59no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities60no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded46no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked49no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(26) Information Flow Enforcement _ Audit Filtering Actions17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging426no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3 Content of Audit Records31337no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories16no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis16no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-10 Non-repudiation515no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44773no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring627no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic34no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events16no data