Homepage

API Gateway access logging is disabled Affecting API Gateway (REST APIs) service in AWS

Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Logging/ Access

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
CIS-ControlsCSA-CCMHIPAAISO-27001NIST-800-53
  • Snyk IDSNYK-CC-00327
  • creditSnyk Research Team
Report a new misconfiguration Found a mistake?

Description

Audit records may not be available during investigation.

How to fix?

Set the access_log_settings block with a valid destination_arn and format.

Example Configuration

# aws_api_gateway_stage example
resource "aws_api_gateway_stage" "allowed" {
  deployment_id = aws_api_gateway_deployment.example.id
  rest_api_id   = aws_api_gateway_rest_api.example.id
  stage_name    = "example"

  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.api_gw.arn

    format = jsonencode({
      requestId               = "$context.requestId"
      sourceIp                = "$context.identity.sourceIp"
      requestTime             = "$context.requestTime"
      protocol                = "$context.protocol"
      httpMethod              = "$context.httpMethod"
      resourcePath            = "$context.resourcePath"
      routeKey                = "$context.routeKey"
      status                  = "$context.status"
      responseLength          = "$context.responseLength"
      integrationErrorMessage = "$context.integrationErrorMessage"
      }
    )
  }
}

# aws_apigatewayv2_stage example
resource "aws_apigatewayv2_stage" "allowed" {
  name          = "examplev2"
  api_id        = aws_apigatewayv2_api.lambda.id

  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.api_gwv2.arn

    format = jsonencode({
      requestId               = "$context.requestId"
      sourceIp                = "$context.identity.sourceIp"
      requestTime             = "$context.requestTime"
      protocol                = "$context.protocol"
      httpMethod              = "$context.httpMethod"
      resourcePath            = "$context.resourcePath"
      routeKey                = "$context.routeKey"
      status                  = "$context.status"
      responseLength          = "$context.responseLength"
      integrationErrorMessage = "$context.integrationErrorMessage"
      }
    )
  }
}