Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Access Logs for API Gateway V2 API Stages

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that access logging is enabled for Amazon API Gateway V2 APIs such as HTTP APIs and WebSocket APIs, in order to track and analyze execution behavior at the API stage level.

This rule can help you work with the AWS Well-Architected Framework.

Security
Reliability
Operational
excellence

Enabling access logging for API Gateway V2 APIs offers valuable insights into how the API is accessed and utilized. This logging data proves essential in monitoring and comprehending usage patterns, detecting possible security risks, and aiding auditing and troubleshooting efforts. Once the logging is enabled, Amazon CloudWatch starts recording information about the API execution at the stage level, providing a convenient platform to view and analyze the data through the CloudWatch Logs Insights.


Audit

To determine if access logging is enabled for Amazon API Gateway V2 API stages, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to API Gateway console available at https://console.aws.amazon.com/apigateway.

03 In the main navigation panel, select APIs to access your API Gateway APIs.

04 Click on the name (link) of the API Gateway V2 API that you want to examine. An API Gateway V2 API is an API with the Protocol set to HTTP or WebSocket.

05 Choose Stages from the API menu to access the stages created for the selected API.

06 Click on the name of the API stage that you want to examine and select the Logs/Tracing tab.

07 On the Logs/Tracing panel, in the Custom Access Logging section, check the Enable Access Logging setting status. If the Enable Access Logging setting is disabled (i.e. the setting checkbox is not selected), access logging is not enabled for the selected Amazon API Gateway V2 API stage.

08 Repeat steps no. 6 and 7 for each API stage created for the selected API Gateway V2 API.

09 Repeat steps no. 4 – 8 for each Amazon API Gateway V2 API available within the current region.

10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run get-apis command (OSX/Linux/UNIX) with custom query filters to list the ID of each API Gateway V2 API available in the selected AWS region:

aws apigatewayv2 get-apis
  --region us-east-1
  --output table
  --query 'Items[*].ApiId'

02 The command output should return a table with the requested API IDs:

----------------
|    GetApis   |
+--------------+
|  abcabcabca  |
|  abcdabcdab  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the Amazon API Gateway V2 API that you want to examine as the identifier parameter and custom query filters to get the names of the API stages created for the selected API:

aws apigatewayv2 get-stages 
  --region us-east-1 
  --api-id abcabcabca 
  --output table 
  --query 'Items[*].StageName'

04 The command output should return the requested API stage names:

----------------
|  GetStages   |
+--------------+
|  Production  |
|  Staging     |
|  Development |
+--------------+ 

05 Run get-stage command (OSX/Linux/UNIX) using the name of the API Gateway V2 API stage that you want to examine as the identifier parameter and custom query filters to describe the access logs settings configured for the selected API stage:

aws apigatewayv2 get-stage 
  --region us-east-1 
  --api-id abcabcabca 
  --stage-name Production 
  --query 'AccessLogSettings'

06 The command output should return the requested configuration settings:

null

If the get-stage command output returns null, as shown in the example above, access logging is not enabled for the selected Amazon API Gateway V2 API stage.

07 Repeat steps no. 5 and 6 for each API stage created for the selected API Gateway V2 API.

08 Repeat steps no. 4 – 7 for each Amazon API Gateway V2 API available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable access logging for your Amazon API Gateway V2 APIs, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 To create an IAM role that allows Amazon API Gateway to push logs to CloudWatch Logs, navigate to Amazon IAM console at https://console.aws.amazon.com/iamv2/.

03 In the navigation panel, under Access management, choose Roles.

04 Choose Create role from the console top menu to initiate the IAM role setup process:

  1. For Step 1 Select trusted entity, perform the following actions:
    • Select the AWS service category.
    • For Use case, select the API Gateway use case from the Use cases for other AWS services list. Choose Next to continue the setup process.
  2. For Step 2 Add permissions, select the AmazonAPIGatewayPushToCloudWatchLogs policy. This managed policy allows Amazon API Gateway to push logs to your CloudWatch Logs log group. Choose Next to continue.
  3. For Step 3 Name, review, and create, provide a name and a description for your new IAM role, and use the Add tag button to create and apply tags to the new IAM role. You can use the tags to organize, track, or control access for your role. Review the IAM resource configuration information, and choose Create role to create your new Amazon IAM role.

05 Click on the name (link) of the new IAM role and copy the role ARN, listed under ARN.

06 Navigate to API Gateway console available at https://console.aws.amazon.com/apigateway.

07 In the main navigation panel, select APIs to access your API Gateway APIs.

08 Click on the name (link) of the API Gateway V2 API that you want to configure.

09 Choose Settings from the API menu to access the main configuration settings available for the selected API.

10 Paste the IAM role ARN copied at step no. 5 into the CloudWatch log role ARN box, then choose Save to apply the changes.

11 Navigate back to the API menu and select Stages to access the stages created for the selected API.

12 Click on the name of the API stage that you want to configure and choose the Logs/Tracing tab.

13 On the Logs/Tracing panel, in the Custom Access Logging section, perform the following actions:

  1. Select the Enable Access Logging checkbox to enable access logging for the selected API stage.
  2. For Access Log Destination ARN, enter a CloudWatch Logs log group ARN or a Kinesis Firehose data stream ARN to receive logs.
  3. For Log Format, define the preferred access log format. The format must include either $context.requestId or $context.extendedRequestId. For access logging variable reference, choose List of Log Variables.
  4. Choose Save Changes to apply the changes.

14 Repeat steps no. 12 and 13 to enable access logging for each API stage created for the selected API Gateway V2 API.

15 Repeat steps no. 8 – 14 to reconfigure each Amazon API Gateway V2 API available within the current AWS region.

16 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Create an IAM role that allows Amazon API Gateway to push logs to CloudWatch Logs. Define the trust relationship policy for this IAM role as shown in the example below. Paste the following policy document to a JSON file named iam-role-trust-policy.json:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "",
			"Effect": "Allow",
			"Principal": {
				"Service": "apigateway.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

02 Run create-role command (OSX/Linux/UNIX) to create the IAM role that allows Amazon API Gateway to push logs to CloudWatch Logs using the trust relationship policy defined at the previous step (i.e. iam-role-trust-policy.json):

aws iam create-role
  --role-name api-access-log-role
  --assume-role-policy-document file://iam-role-trust-policy.json

03 The command output should return the metadata available for the new IAM role:

{
	"Role": {
		"AssumeRolePolicyDocument": {
			"Version": "2012-10-17",
			"Statement": [
				{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Principal": {
						"Service": "apigateway.amazonaws.com"
					}
				}
			]
		},
		"RoleId": "AAAABBBBCCCCDDDDEEEE",
		"CreateDate": "2023-01-12T10:00:00Z",
		"RoleName": "api-access-log-role",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:role/api-access-log-role"
	}
}

04 Run attach-role-policy command (OSX/Linux/UNIX) to attach the AmazonAPIGatewayPushToCloudWatchLogs managed policy to the newly created IAM role. Use the --policy-arn command parameter to specify the ARN of the AWS-managed policy that you want to attach to your IAM role (the command does not produce an output):

aws iam attach-role-policy
  --role-name api-access-log-role
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs

05 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as the identifier parameter, to enable access logging for the selected API Gateway V2 API stage. The following command request example enables access logging for an API stage named "Production", created for an API identified by the ID "abcabcabca". The access logs are published to a CloudWatch Logs log group named "access-log-group" and use the following format: "$context.extendedRequestId $context.identity.sourceIp $context.identity.caller $context.identity.user $context.status":

aws apigatewayv2 update-stage 
  --region us-east-1 
  --api-id abcabcabca 
  --stage-name Production 
  --access-log-settings '{"DestinationArn":"arn:aws:logs:us-east-1:123456789012:log-group:access-log-group","Format":"$context.extendedRequestId $context.identity.sourceIp $context.identity.caller $context.identity.user $context.status"}'

06 The command output should return the API stage information:

{
	"AccessLogSettings": {
		"DestinationArn": "arn:aws:logs:us-east-1:123456789012:log-group:access-log-group",
		"Format": "$context.extendedRequestId $context.identity.sourceIp $context.identity.caller $context.identity.user $context.status"
	},
	"CreatedDate": "2023-08-03T12:21:00+00:00",
	"DefaultRouteSettings": {
		"DataTraceEnabled": false,
		"DetailedMetricsEnabled": false,
		"LoggingLevel": "OFF",
		"ThrottlingBurstLimit": 5000,
		"ThrottlingRateLimit": 10000.0
	},
	"DeploymentId": "abcdabcd",
	"LastUpdatedDate": "2023-08-03T15:17:17+00:00",
	"RouteSettings": {},
	"StageName": "production",
	"StageVariables": {},
	"Tags": {}
}

07 Repeat steps no. 5 and 6 to enable access logging for each API stage created for the selected API Gateway V2 API.

08 Repeat steps no. 5 – 7 to reconfigure each Amazon API Gateway V2 API available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Aug 31, 2023