AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
API Gateway Execution Logging Should Be Enabled
More Info:
API Gateway execution logging should be enabled
Risk Level
Low
Address
Monitoring
Compliance Standards
CBP,GDPR,HIPAA,ISO27001,SEBI,RBI_MD_ITF,RBI_UCB
Triage and Remediation
Check Cause
- Sign in to the AWS Management Console.
- Navigate to the API Gateway console. You can find this by typing ‘API Gateway’ into the search bar at the top of the console.
- In the API Gateway console, select the API you want to check.
- In the left navigation pane, under the selected API, click on ‘Stages’. Here, you will see a list of all the stages for your API.
- Select a stage, then in the main panel, click on the ‘Logs/Tracing’ tab. Here, you can check if the ‘Enable CloudWatch Logs’ option is enabled. If it is not, then API Gateway Execution Logging is not enabled for that API stage. Repeat this process for all stages of the API to ensure logging is enabled across the entire API.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
-
Once the AWS CLI is set up, you can list all the APIs in your account by running the following command:
aws apigateway get-rest-apis
This command will return a list of all the REST APIs in your account.
-
For each API, you can check the CloudWatch settings by running the following command:
aws apigateway get-stage --rest-api-id <restApiId> --stage-name <stageName>
Replace
<restApiId>
and<stageName>
with the ID and name of the API and stage you want to check. This command will return the settings for the specified stage. -
In the output of the above command, look for the
methodSettings
field. If theloggingLevel
is set toOFF
, then execution logging is not enabled for that API. If theloggingLevel
is set toERROR
orINFO
, then execution logging is enabled.
-
Install the necessary Python libraries: Before you start, you need to install the AWS SDK for Python (Boto3) in your environment. This can be done using pip:
pip install boto3
-
Import the necessary libraries and initialize the client: In your Python script, you need to import Boto3 and initialize the API Gateway client.
import boto3 client = boto3.client('apigateway')
-
Fetch the list of Rest APIs: Use the
get_rest_apis
method to fetch the list of all Rest APIs in your AWS account.response = client.get_rest_apis() rest_apis = response['items']
-
Check if Execution Logging is enabled: For each Rest API, check if the
loggingLevel
is set toERROR
orINFO
. If it’s not, then Execution Logging is not enabled.for api in rest_apis: stage = client.get_stage( restApiId=api['id'], stageName='prod' # replace with your stage name ) if 'methodSettings' in stage: settings = stage['methodSettings'] if '*/*' in settings: logging_level = settings['*/*'].get('loggingLevel') if logging_level not in ['ERROR', 'INFO']: print(f"Execution Logging is not enabled for API: {api['name']}")
Please note that this script assumes that you have configured your AWS credentials correctly in your environment. If not, you need to do so by following the AWS CLI configuration guide. Also, replace ‘prod’ with your actual stage name.