API Gateway Execution Logging Should Be Enabled

More Info:

API Gateway execution logging should be enabled

Risk Level

Low

Address

Monitoring

Compliance Standards

CBP,GDPR,HIPAA,ISO27001,SEBI,RBI_MD_ITF,RBI_UCB

Triage and Remediation

Cause
Remediation

Check Cause

Using Console

Sign in to the AWS Management Console.
Navigate to the API Gateway console. You can find this by typing ‘API Gateway’ into the search bar at the top of the console.
In the API Gateway console, select the API you want to check.
In the left navigation pane, under the selected API, click on ‘Stages’. Here, you will see a list of all the stages for your API.
Select a stage, then in the main panel, click on the ‘Logs/Tracing’ tab. Here, you can check if the ‘Enable CloudWatch Logs’ option is enabled. If it is not, then API Gateway Execution Logging is not enabled for that API stage. Repeat this process for all stages of the API to ensure logging is enabled across the entire API.

Using CLI

First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
Once the AWS CLI is set up, you can list all the APIs in your account by running the following command:
```
aws apigateway get-rest-apis
```
This command will return a list of all the REST APIs in your account.
For each API, you can check the CloudWatch settings by running the following command:
```
aws apigateway get-stage --rest-api-id <restApiId> --stage-name <stageName>
```
Replace <restApiId> and <stageName> with the ID and name of the API and stage you want to check. This command will return the settings for the specified stage.
In the output of the above command, look for the methodSettings field. If the loggingLevel is set to OFF, then execution logging is not enabled for that API. If the loggingLevel is set to ERROR or INFO, then execution logging is enabled.

Using Python

Install the necessary Python libraries: Before you start, you need to install the AWS SDK for Python (Boto3) in your environment. This can be done using pip:
```
pip install boto3
```
Import the necessary libraries and initialize the client: In your Python script, you need to import Boto3 and initialize the API Gateway client.
```
import boto3

client = boto3.client('apigateway')
```
Fetch the list of Rest APIs: Use the get_rest_apis method to fetch the list of all Rest APIs in your AWS account.
```
response = client.get_rest_apis()
rest_apis = response['items']
```

Check if Execution Logging is enabled: For each Rest API, check if the loggingLevel is set to ERROR or INFO. If it’s not, then Execution Logging is not enabled.

for api in rest_apis:
    stage = client.get_stage(
        restApiId=api['id'],
        stageName='prod'  # replace with your stage name
    )
    if 'methodSettings' in stage:
        settings = stage['methodSettings']
        if '*/*' in settings:
            logging_level = settings['*/*'].get('loggingLevel')
            if logging_level not in ['ERROR', 'INFO']:
                print(f"Execution Logging is not enabled for API: {api['name']}")

Please note that this script assumes that you have configured your AWS credentials correctly in your environment. If not, you need to do so by following the AWS CLI configuration guide. Also, replace ‘prod’ with your actual stage name.

Remediation

Using Console

To remediate the misconfiguration of API Gateway Execution Logging not being enabled in AWS, follow these steps using the AWS Management Console:

Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
Navigate to API Gateway service: Click on the “Services” dropdown menu at the top of the page, and then select “API Gateway” under the Networking & Content Delivery section.
Select the API: From the list of APIs, select the API for which you want to enable execution logging.
Enable Execution Logging:
- In the API Gateway console, click on the “Stages” link on the left-hand side.
- Select the stage for which you want to enable execution logging (e.g., “Prod”).
- Under the selected stage, click on the “Logs/Tracing” tab.
- Click on the pencil icon next to “CloudWatch Settings” to edit the settings.
- Check the box next to “Enable CloudWatch Logs” to enable execution logging.
- Select the log level (INFO, ERROR, or OFF) based on your requirements.
- Choose an existing IAM role or create a new IAM role that grants API Gateway permissions to write logs to CloudWatch Logs.
- Click on the “Save Changes” button to save the configuration.
Verify the Configuration:
- To verify that execution logging is enabled, you can make a test request to your API and check if the logs are being generated in CloudWatch Logs.
- Go to the CloudWatch service in the AWS Management Console and navigate to the log group associated with your API Gateway.
- Look for log entries related to the requests made to your API to confirm that execution logging is working correctly.

By following these steps, you can remediate the misconfiguration of API Gateway Execution Logging not being enabled in AWS using the AWS Management Console.

Using CLI

To remediate the misconfiguration of API Gateway Execution Logging not being enabled in AWS, you can follow these steps using AWS CLI:

Enable CloudWatch Logs for API Gateway: Run the following AWS CLI command to enable CloudWatch Logs for API Gateway:
```
aws apigateway update-usage-plan --usage-plan-id <usage-plan-id> --patch-operations op=replace,path=/apiStages/<api-id>/<stage>,value="{\"metricsEnabled\":true,\"loggingLevel\":\"INFO\",\"dataTraceEnabled\":true}"
```
Replace <usage-plan-id> with the ID of the usage plan you want to update, <api-id> with the ID of the API you want to enable logging for, and <stage> with the stage of the API (e.g., prod).
Verify the Configuration: You can verify that the execution logging has been enabled by checking the API Gateway settings in the AWS Management Console or by running the following AWS CLI command:
```
aws apigateway get-usage-plan --usage-plan-id <usage-plan-id>
```
This command will return the details of the updated usage plan, and you can confirm that the metricsEnabled, loggingLevel, and dataTraceEnabled parameters are set to true.

By following these steps, you can successfully remediate the misconfiguration of API Gateway Execution Logging not being enabled in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of API Gateway Execution Logging not being enabled in AWS using Python, you can follow these steps:

Import the necessary Python libraries:

import boto3

Create a boto3 client for API Gateway:

client = boto3.client('apigateway')

Get a list of APIs in API Gateway:

apis = client.get_rest_apis()

Iterate through each API and enable execution logging:

for api in apis['items']:
    api_id = api['id']
    response = client.update_stage(
        restApiId=api_id,
        stageName='your_stage_name', # Replace 'your_stage_name' with the name of your stage
        patchOperations=[
            {
                'op': 'replace',
                'path': '/logging/dataTrace',
                'value': 'true'
            },
            {
                'op': 'replace',
                'path': '/logging/loglevel',
                'value': 'INFO'
            }
        ]
    )
    print(f"Execution logging enabled for API: {api_id}")

Make sure to replace 'your_stage_name' with the name of the stage for which you want to enable execution logging.
Run the Python script, and it will enable execution logging for all APIs in API Gateway.

By following these steps, you can remediate the misconfiguration of API Gateway Execution Logging not being enabled in AWS using Python.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

API Gateway Execution Logging Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Remediation

​

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

Remediation