Remediation
Prerequisitesβ
To enable CloudWatch Logs, grant API Gateway permission to read and write logs to CloudWatch in your account. The managed policy AmazonAPIGatewayPushToCloudWatchLogs (ARN: arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs) provides the necessary permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}
]
}
To set up these permissions:
- Create an IAM role with
apigateway.amazonaws.comas the trusted entity. - Attach the above policy to the IAM role.
- Set the IAM role ARN in the
cloudWatchRoleArnproperty of yourAccount. Note that you must configure thecloudWatchRoleArnseparately for each AWS Region where you wish to enable CloudWatch Logs.
If you receive an error when setting the IAM role ARN, check your AWS Security Token Service account settings to make sure that AWS STS is enabled in the Region that you're using.
From Command Lineβ
Set Logging Level for Rest API Stageβ
- To override stage settings for a specific resource and method:
aws apigateway update-stage \
--rest-api-id {{api-id}} \
--stage-name {{stage-name}} \
--patch-operations op=replace,path=/{{resourcePath}}/{{httpMethod}}/logging/loglevel,value=INFO
- To apply logging level to all resources and methods in a stage:
aws apigateway update-stage \
--rest-api-id {{api-id}} \
--stage-name {{stage-name}} \
--patch-operations op=replace,path=/*/*/logging/loglevel,value=INFO
Replace {{api-id}}, {{stage-name}}, {{resourcePath}}, and {{httpMethod}} with the appropriate values.
Set Logging Level for WebSocket API Stageβ
For WebSocket APIs, use the following command:
aws apigatewayv2 update-stage \
--api-id {{api-id}} \
--stage-name {{stage-name}} \
--route-settings '{"{{routeKey}}": {"LoggingLevel": "INFO"}}'
Replace {{routeKey}} with the appropriate Route Key value.