API Gateway REST and WebSocket API logging Rule

Rule Description: API Gateway REST and WebSocket API logging should be enabled for AWS Foundational Security Best Practices. Enabling logging for API Gateway REST and WebSocket APIs helps monitor and analyze API traffic, detect potential security threats, and investigate suspicious activities.

Troubleshooting Steps: If logging is not enabled for your API Gateway REST and WebSocket APIs, you can follow the steps below to enable it:

Step 1: Open the API Gateway Console

• Sign in to the AWS Management Console.
• Go to the API Gateway service.

Step 2: Select an API

• In the API Gateway console, select the REST or WebSocket API for which you want to enable logging.

Step 3: Configure Logging

• In the left navigation pane, click on "Stages" under the API Name.
• Select the desired stage for which you want to enable logging.
• Click on the "Logs/Tracing" tab.

Step 4: Enable Access Logging

• Under "Access Logging", toggle the switch to enable access logging.
• Choose an existing CloudWatch log group or create a new one.
• Specify a log format if needed.

Step 5: Enable Execution Logging (optional for REST APIs)

• Under "Execution Logging", toggle the switch to enable execution logging.
• Choose an existing CloudWatch log group or create a new one.
• Specify a log level if needed.

Step 6: Save Changes

• Click on the "Save Changes" button to enable logging for the selected stage.

Step 7: Repeat for Other Stages (if applicable)

• If you have multiple stages in your API, repeat Steps 3 to 6 for each stage.

Necessary Code: No code snippets are required for this configuration.

Remediation Guide: To enable logging for API Gateway REST and WebSocket APIs, follow these steps:

By following these steps, you have successfully enabled logging for your API Gateway REST and WebSocket APIs. The logs will now be sent to the specified CloudWatch log group, allowing you to monitor and analyze the API traffic effectively.