AWS-APIGateway-API-Gateway-CloudWatch-Logs

Severity: Medium

Description: This control ensures that logging is not set to OFF for all Rest APIs Stages in API gateway for all regions. There are two types of API logging in CloudWatch: execution logging and access logging. In execution logging, API Gateway manages the CloudWatch Logs. The process consists of creating log groups and log streams, and reporting to the log streams any caller's requests and responses.

Remediation Steps:

Perform following to enable logging for REST Api:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to o API Gateway console.

3. On the Stages pane, choose the Logs/Tracing tab

4. On the Logs/Tracing tab, under CloudWatch Settings, do the following to turn on execution logging: Choose the Enable CloudWatch Logs check box

5. You can choose from ERROR and INFO according to your logging requirements

6. Click on Save Changes.

Important:

Reference:

• Set up CloudWatch logging for REST APIs in API Gateway - Amazon API Gateway

• https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/