API Gateway Stage Logging Enabled Rule

Ensure that API Gateway stage logging is enabled for compliance

Rule	API Gateway stage logging should be enabled
Framework	NIST 800-171 Revision 2
Severity	✔ High

API Gateway Stage Logging Requirement for NIST 800-171 Revision 2

Rule Description

The rule requires enabling stage logging for the API Gateway service, in compliance with the NIST 800-171 Revision 2 security standard. Stage logging allows for the collection and retention of logs related to API Gateway stages, providing valuable information for auditing and troubleshooting purposes.

Troubleshooting Steps (if applicable)

If stage logging is not already enabled for the API Gateway, follow these steps to troubleshoot and rectify the issue:

1.

Ensure necessary permission: Verify that you have the necessary permissions to enable stage logging in API Gateway. You should have the appropriate IAM role or access rights.

2.

Check stage configuration: Review the current stage configuration for the API Gateway and confirm if any stage logging settings are already enabled. This can be checked using the AWS Management Console or by using the AWS Command Line Interface (CLI).

3.

Verify service integration: If you are using a lambda function or other AWS services as the integration for your API Gateway stage, ensure that the associated service is also configured to produce the necessary logs.

4.

Check CloudWatch log group: Verify if a log group already exists in CloudWatch for the API Gateway stage. If not, create a new log group to store the stage logs.

5.

Enable stage logging: If stage logging is not yet enabled, proceed to enable it for the API Gateway stage using the recommended AWS CLI command.

Necessary Codes (if applicable)

Here is an example of the necessary AWS CLI command to enable stage logging for the API Gateway stage:

aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations op=replace,path=/accessLogSettings/format,opt=es_extended,op=replace,path=/accessLogSettings/destinationArn,opt=<destination-arn>

```
<rest-api-id>
```
: Replace this with the actual ID of your API Gateway REST API.
```
<stage-name>
```
: Replace this with the name of the API Gateway stage for which you want to enable logging.
```
<destination-arn>
```
: Replace this with the ARN (Amazon Resource Name) of the CloudWatch log group where the API Gateway stage logs will be stored.

Step-by-Step Guide for Remediation

Follow these step-by-step instructions to enable stage logging for the API Gateway in compliance with NIST 800-171 Revision 2:

1.

Ensure you have the necessary permissions to enable stage logging in API Gateway.

2.

Identify the API Gateway stage for which you want to enable logging.

3.

Verify if any stage logging settings are already enabled by checking the stage configuration using the AWS Management Console or CLI.

4.

If necessary, create a new log group in CloudWatch to store the stage logs if one does not already exist.

5.
Open your preferred CLI tool and execute the AWS CLI command provided earlier, replacing the placeholders with the appropriate values:
```
aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations op=replace,path=/accessLogSettings/format,opt=es_extended,op=replace,path=/accessLogSettings/destinationArn,opt=<destination-arn>
```
- <rest-api-id>
  : Replace this with the actual ID of your API Gateway REST API.
- <stage-name>
  : Replace this with the name of the API Gateway stage for which you want to enable logging.
- <destination-arn>
  : Replace this with the ARN (Amazon Resource Name) of the CloudWatch log group where the API Gateway stage logs will be stored.

6.

Once the command successfully executes, stage logging will be enabled for the specified API Gateway stage.

Conclusion

Enabling stage logging for API Gateway in compliance with NIST 800-171 Revision 2 helps to ensure that valuable logs related to API Gateway stages are collected and retained. This provides essential information for auditing, monitoring, and troubleshooting purposes. By following the provided troubleshooting steps and using the necessary code snippets, you can successfully enable stage logging in API Gateway to meet the compliance requirements.

API Gateway Stage Logging Enabled Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps (if applicable)

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes (if applicable)

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Conclusion

Is your System Free of Underlying Vulnerabilities? Find Out Now

Rule Description

Troubleshooting Steps (if applicable)

Necessary Codes (if applicable)

Step-by-Step Guide for Remediation

Conclusion

Is your System Free of Underlying Vulnerabilities?
Find Out Now