Rule: API Gateway Stage Logging Should Be Enabled
This rule ensures that API Gateway stage logging is enabled to maintain security standards.
| Rule | API Gateway stage logging should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
The rule requires enabling API Gateway stage logging for NIST 800-171 Revision 2 compliance. API Gateway stage logging helps in monitoring and auditing the API Gateway service to ensure compliance with the security controls defined in NIST 800-171 Revision 2.
When API Gateway stage logging is enabled, it records detailed information about API calls made to the API Gateway stage, including the source IP address, user identity, requested API methods, response codes, and other relevant details. This logging data is crucial for security analysis and incident response.
Troubleshooting Steps
If API Gateway stage logging is not enabled or properly configured, you may encounter the following issues:
- 1.
Lack of visibility into API calls: Without stage logging, it becomes challenging to track and analyze the API calls made to the API Gateway stage. This can hinder incident detection and investigation.
- 2.
Difficulty in compliance assessment: To ensure compliance with NIST 800-171 Revision 2, API Gateway stage logging is necessary. Failing to enable stage logging can result in non-compliance.
Necessary Codes
To enable API Gateway stage logging for NIST 800-171 Revision 2 compliance, you need to configure the logging settings of your API Gateway stage using AWS Command Line Interface (CLI) commands.
Step-by-Step Guide for Remediation
Follow these step-by-step instructions to enable API Gateway stage logging for NIST 800-171 Revision 2:
Step 1: Install and Configure AWS CLI (if not already done)
- 1.
If you haven't already installed the AWS CLI, download and install it according to your operating system. Refer to the official AWS CLI documentation for installation instructions.
- 2.
Once installed, open a terminal or command prompt and run the following command to configure the AWS CLI with your AWS account credentials:
aws configure
- 1.When prompted, enter your AWS Access Key ID, Secret Access Key, default region, and output format.
Step 2: Enable API Gateway Stage Logging
- 1.
Open a terminal or command prompt.
- 2.
Run the following AWS CLI command to enable logging for your API Gateway stage:
aws apigateway update-stage --rest-api-id <rest_api_id> --stage-name <stage_name> --patch-operations '[{"op": "add", "path": "/logging/loglevel", "value": "INFO"}]'
Replace
<rest_api_id><stage_name>Step 3: Verify Logging Configuration
- 1.
After executing the command, wait for a few minutes for the configuration to take effect.
- 2.
To verify the logging configuration, use the following command:
aws apigateway get-stage --rest-api-id <rest_api_id> --stage-name <stage_name> --query 'logging'
Replace
<rest_api_id><stage_name>- 1.Check the response for the
field. If its value is"dataTraceEnabled"
, it means logging is successfully enabled for the API Gateway stage.true
Conclusion
Enabling API Gateway stage logging is crucial for NIST 800-171 Revision 2 compliance. By following the above steps, you can ensure that the necessary logging is configured for your API Gateway stage, allowing you to fulfill the requirements of NIST 800-171 Revision 2 and enhance your overall security posture.