API Gateway access logging is disabled Affecting API Gateway (REST APIs) service in AWS
Severity Framework
Snyk CCSS
Rule category
Logging / Access
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
CSA-CCM
HIPAA
ISO-27001
NIST-800-53
- Snyk ID SNYK-CC-00327
- credit Snyk Research Team
Description
Audit records may not be available during investigation.
How to fix?
Set the access_log_settings block with a valid destination_arn and format.
Example Configuration
# aws_api_gateway_stage example
resource "aws_api_gateway_stage" "allowed" {
deployment_id = aws_api_gateway_deployment.example.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
access_log_settings {
destination_arn = aws_cloudwatch_log_group.api_gw.arn
format = jsonencode({
requestId = "$context.requestId"
sourceIp = "$context.identity.sourceIp"
requestTime = "$context.requestTime"
protocol = "$context.protocol"
httpMethod = "$context.httpMethod"
resourcePath = "$context.resourcePath"
routeKey = "$context.routeKey"
status = "$context.status"
responseLength = "$context.responseLength"
integrationErrorMessage = "$context.integrationErrorMessage"
}
)
}
}
# aws_apigatewayv2_stage example
resource "aws_apigatewayv2_stage" "allowed" {
name = "examplev2"
api_id = aws_apigatewayv2_api.lambda.id
access_log_settings {
destination_arn = aws_cloudwatch_log_group.api_gwv2.arn
format = jsonencode({
requestId = "$context.requestId"
sourceIp = "$context.identity.sourceIp"
requestTime = "$context.requestTime"
protocol = "$context.protocol"
httpMethod = "$context.httpMethod"
resourcePath = "$context.resourcePath"
routeKey = "$context.routeKey"
status = "$context.status"
responseLength = "$context.responseLength"
integrationErrorMessage = "$context.integrationErrorMessage"
}
)
}
}