Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: API Gateway Stage Logging Should Be Enabled

This rule requires enabling logging for API Gateway stages to ensure proper monitoring and troubleshooting.

RuleAPI Gateway stage logging should be enabled
FrameworkSOC 2
Severity
High

Rule Description

API Gateway stage logging should be enabled for SOC 2 compliance. This rule ensures that all activities related to the API Gateway stages are properly logged and auditable. Enabling logging helps in monitoring and identifying any suspicious or unauthorized activities performed on the API Gateway stages, which is crucial for maintaining the security and compliance standards required for SOC 2 certification.

Troubleshooting Steps (if any)

If stage logging is not enabled for API Gateway, follow these steps to troubleshoot:

  2. 1.
    Check the API Gateway configuration settings to confirm if stage logging is enabled.
  4. 2.
    Verify the IAM permissions of the user or role associated with the API Gateway. Ensure that the required permissions are granted to enable stage logging.
  6. 3.
    Check the CloudTrail logs to identify any errors or issues related to stage logging.
  8. 4.
    Review the API Gateway documentation and AWS forums for any reported issues related to stage logging.

Necessary Codes (if any)

To enable stage logging for API Gateway, you can use the AWS Command Line Interface (CLI). Here is an example of the necessary CLI code:

aws apigateway update-stage \
  --rest-api-id <your-rest-api-id> \
  --stage-name <your-stage-name> \
  --patch-operations op=replace,path=/accessLogSettings/destinationArn,value=<your-arn>

In the code above, replace 

<your-rest-api-id>
with the ID of your API Gateway and 
<your-stage-name>
with the name of the specific stage for which you want to enable logging. Also, replace 
<your-arn>
with the Amazon Resource Name (ARN) of the destination where the log events will be published (e.g., an Amazon CloudWatch Logs group).

Step by Step Guide for Remediation

To enable stage logging for API Gateway and ensure SOC 2 compliance, follow these steps:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Go to the API Gateway service.
  6. 3.
    Select the API Gateway that you want to enable stage logging for.
  8. 4.
    In the left sidebar, click on the "Stages" tab.
  10. 5.
    Choose the specific stage for which you want to enable logging.
  12. 6.
    Click on the "Logs/Tracing" tab.
  14. 7.
    Under the "Access logs" section, click on the "Edit" button.
  16. 8.
    In the "Destination ARN" field, enter the ARN of the destination where the log events will be published. This can be an Amazon CloudWatch Logs group ARN.
  18. 9.
    Click on the "Save" button to save the changes.
  20. 10.
    Repeat steps 5-9 for any other stages that need stage logging enabled.
  22. 11.
    Verify that the stage logging is successfully enabled by checking the CloudTrail logs or the destination logs (e.g., CloudWatch Logs).

By following the above steps, you will enable stage logging for API Gateway, ensuring that all activities in the stages are properly logged for SOC 2 compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now