Link Search Menu Expand Document

[APIGateway.1]

API Gateway REST and WebSocket API logging should be enabled

Description

All stages of an Amazon API Gateway REST API or WebSocket API must have CloudWatch logs enabled. For this control to be COMPLIANT, the loggingLevel parameter of a stage must be set to either ERROR (to write only error-level entries to CloudWatch Logs) or INFO (to include all ERROR events as well as extra informational events).

Details

Property Value
Category Identify > Logging
Compliance Control ID APIGateway.1
FortifyFox ID FF100057
Link APIGateway.1 Compliance
Resource Type(s) AWS::ApiGateway::RestApi, AWS::ApiGatewayV2::Api, AWS::ApiGateway::Deployment, AWS::ApiGatewayV2::Stage
Severity Medium

Remediation

Use the following CloudFormation templates to deploy a REST or WebSocket API compliant with APIGateway.1

Rest API

YAML Template

Resources:
  restAPI:
    Type: AWS::ApiGateway::Deployment
    Properties:
      RestApiId: !Ref Your_API_ID
      StageDescription:
        LoggingLevel: INFO

JSON Template

{
  "Resources": {
    "restAPI": {
      "Type": "AWS::ApiGateway::Deployment",
      "Properties": {
        "RestApiId": {
          "Ref": "Your_API_ID"
        },
        "StageDescription": {
          "LoggingLevel": "INFO"
        }
      }
    }
  }
}

WebSocket API

YAML Template

Resources:
  websocketStage:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      ApiId: !Ref Your_API_ID
      StageName: websocketStage
      DefaultRouteSettings:
        LoggingLevel: INFO

  webSocketDeploy:
    Type: AWS::ApiGatewayV2::Deployment
    Properties:
      ApiId: !Ref Your_API_ID
      StageName: websocketStage

JSON Template

{
  "Resources": {
    "websocketStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "ApiId": { "Ref": "Your_API_ID" },
        "StageName": "websocketStage",
        "DefaultRouteSettings": { "LoggingLevel": "INFO" }
      }
    },
    "websocketDeploy": {
      "Type": "AWS::ApiGatewayV2::Deployment",
      "Properties": {
        "ApiId": { "Ref": "Your_API_ID" },
        "StageName": "websocketStage"
      }
    }
  }
}

You will need to replace Your_API_ID with the ID of your RestAPI / WebSocket API. Additionally, INFO can be replaced with ERROR if you want only error logs to be enabled.


📓 Notes

  • APIGateway must have an IAM Role with the permission to push logs to CloudWatch