AWS-APIGateway-REST-apis-accessLog-settings-missing-destinationArn-and-json-format

Severity: Medium

Description: This control ensures that accessLogSettings exists with the destinationArn and in the json format for all Rest API Stages in all regions. In access logging, you, as an API developer, wants to log who has accessed your API and how the caller accessed the API. You can create your own log group or choose an existing log group that could be managed by API Gateway. To specify the access details, you select $context variables (expressed in a format of your choosing) and choose a log group as the destination. To preserve the uniqueness of each log, the access log format must include $context.requestId variable.

Remediation Steps:

Perform following to enable logging for REST Api:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to o API Gateway console.

3. On the Stages pane, choose the Logs/Tracing tab

4. On the Logs/Tracing tab,Under Custom Access Logging, do the following to turn on access logging: Choose the Enable Access Logging check box

5. For Access Log Destination ARN, enter the ARN of a CloudWatch log group or an Amazon Kinesis Data Firehose stream

6. under Log Format, enter the logging config in JSON format

7. Click on Save Changes.

Important:

Reference:

• Set up CloudWatch logging for REST APIs in API Gateway - Amazon API Gateway

• https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/