AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Cloudwatch Logs Must Be Enabled For All APIs
More Info:
AWS CloudWatch logs should be enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.
Risk Level
Low
Address
Operational Maturity, Security
Compliance Standards
HIPAA, SOC2, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloudwatch Logs Must Be Enabled For All APIs” for AWS using AWS console, follow the below steps:
- Login to the AWS Management Console.
- Go to the Amazon API Gateway service.
- Select the API you want to enable Cloudwatch logs for.
- Click on the “Stages” link in the left-hand menu.
- Select the stage you want to enable Cloudwatch logs for.
- Click on the “Logs/Tracing” tab.
- Under “CloudWatch Settings”, click the pencil icon to edit the settings.
- Select “Enable CloudWatch Logs” and choose a log format.
- Select an existing IAM role or create a new one for CloudWatch Logs to assume.
- Click “Save Changes”.
After following these steps, Cloudwatch logs will be enabled for the selected API and stage.
To remediate the misconfiguration “Cloudwatch Logs Must Be Enabled For All APIs” for AWS, follow the steps below:
-
Open the AWS CLI on your local machine.
-
Run the following command to create a CloudWatch log group:
aws logs create-log-group --log-group-name <log-group-name>Replace
<log-group-name>with a unique name for your CloudWatch log group. -
Run the following command to create a CloudWatch log stream:
aws logs create-log-stream --log-group-name <log-group-name> --log-stream-name <log-stream-name>Replace
<log-group-name>with the name of the log group you created in step 2, and<log-stream-name>with a unique name for your CloudWatch log stream. -
Run the following command to enable CloudWatch logs for all APIs:
aws apigateway update-usage --usage-plan-id <usage-plan-id> --patch-operations op=add,path=/apiStages/-,value="{\"apiId\":\"*\",\"stage\":\"*\",\"throttle\":{},\"quota\":{}}"Replace
<usage-plan-id>with the ID of the usage plan you want to update. -
Verify that CloudWatch logs are enabled for all APIs by checking the CloudWatch log group you created in step 2. You should see log streams for all APIs in the usage plan you updated in step 4.
By following these steps, you have successfully remediated the misconfiguration “Cloudwatch Logs Must Be Enabled For All APIs” for AWS using AWS CLI.
To remediate the misconfiguration “Cloudwatch Logs Must Be Enabled For All APIs” for AWS using Python, you can follow the below steps:
- First, you need to import the required AWS SDKs for Python using pip. You need to install boto3, which is the AWS SDK for Python.
pip install boto3
- Once the SDKs are installed, you need to create an AWS client using the boto3 SDK.
import boto3
client = boto3.client('apigateway')
- After creating the client, you need to list all the APIs in your account.
response = client.get_rest_apis()
- Once you have the APIs, you need to enable CloudWatch Logs for each of them.
for item in response['items']:
rest_api_id = item['id']
client.update_stage(restApiId=rest_api_id, stageName='prod', patchOperations=[{'op': 'replace', 'path': '/logging/loglevel', 'value': 'INFO'}, {'op': 'replace', 'path': '/logging/dataTrace', 'value': 'true'}])
- This code will update the logging configuration for each API and enable CloudWatch Logs.
This should remediate the misconfiguration “Cloudwatch Logs Must Be Enabled For All APIs” for AWS.