Rule: API Gateway Stage Logging Should Be Enabled
This rule ensures that API Gateway stage logging is enabled to maintain security and monitoring.
| Rule | API Gateway stage logging should be enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
Rule Description:
API Gateway stage logging should be enabled for GxP 21 CFR Part 11 compliance. Enabling stage logging allows for the capture and storage of detailed logs of all API Gateway stage activity, which is necessary for auditing and ensuring compliance with regulatory requirements, specifically GxP 21 CFR Part 11.
Troubleshooting Steps:
If stage logging is not enabled or not functioning properly, follow these steps to troubleshoot the issue:
- 1.
Verify IAM Role Permissions: Ensure that the IAM role associated with the API Gateway has the necessary permissions to write logs to the designated log storage location. Check if the role has the proper IAM policy attached, granting necessary logging permissions.
- 2.
Check Log Storage Configuration: Review the configuration settings for the log storage destination, such as Amazon CloudWatch Logs or an S3 bucket. Verify if the correct log group or bucket is specified in the API Gateway settings.
- 3.
Validate Log Retention Period: Confirm that the configured log retention period is compliant with the GxP 21 CFR Part 11 regulations. The retention period should meet or exceed the regulatory requirements.
- 4.
Monitor CloudWatch Metrics: Use CloudWatch metrics and alarms to monitor the stage logging activity. Check if there are any CloudWatch alarms triggered due to stage logging errors or failures.
- 5.
Test API Gateway Stage Logging: Create a test API request and check if the corresponding log entries are being created and stored in the configured logging destination. Verify the log entries' integrity and completeness.
Necessary Codes:
No specific codes are required for enabling API Gateway stage logging. The configuration is done through the API Gateway console or API.
Step-by-Step Guide for Enabling API Gateway Stage Logging:
- 1.
Open the AWS Management Console and navigate to the API Gateway service.
- 2.
Select the desired API Gateway instance for which you want to enable stage logging.
- 3.
Click on the "Stages" tab to view the list of stages associated with the selected API Gateway.
- 4.
Select the desired stage from the list.
- 5.
Under the "Stage settings" section, click on the "Logs/Tracing" tab.
- 6.
In the "CloudWatch Settings" section, click on the "Edit" button.
- 7.
Enable the "Enable CloudWatch Logs" option.
- 8.
Select the appropriate log format, such as JSON or AWS CLI style.
- 9.
Specify the log level as per your requirement, such as Error, Info, or Debug.
- 10.
Select the destination for log storage, such as CloudWatch Logs or an S3 bucket.
- 11.
Provide the necessary details requested by the log storage destination, like log group or bucket name.
- 12.
Set the log retention period as required to comply with GxP 21 CFR Part 11 regulations.
- 13.
Click on the "Save Changes" button to apply the stage logging settings.
- 14.
Test the stage logging by making API requests and verifying the log entries in the configured log storage destination.
Enabling stage logging for API Gateway ensures compliance with GxP 21 CFR Part 11 regulations by capturing detailed logs of API activity. These logs are crucial for audit purposes and maintaining a secure and compliant environment. Always review and update the logging settings as per regulatory requirements.