AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Cloudwatch Logs Must Be Enabled For All APIs
More Info:
AWS CloudWatch logs should be enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.
Risk Level
Low
Address
Operational Maturity, Security
Compliance Standards
HIPAA, SOC2, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Check Cause
- Log in to the AWS Management Console and navigate to the API Gateway service.
- In the API Gateway dashboard, select the API for which you want to check the CloudWatch Logs configuration.
- In the selected API’s settings, navigate to the “Stages” section.
- In the Stages section, select a stage (e.g., prod, dev) and then navigate to the “Logs/Tracing” tab. Here, you can check if CloudWatch Logs are enabled or not. If the “Enable CloudWatch Logs” checkbox is not selected, then CloudWatch Logs are not enabled for that particular API stage. Repeat this process for all stages of the API.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway and CloudWatch Logs.
-
Once the AWS CLI is set up, you can list all the APIs in the API Gateway using the following command:
aws apigateway get-rest-apisThis command will return a list of all the APIs in the API Gateway.
-
For each API, you can check if CloudWatch Logs are enabled using the following command:
aws apigateway get-stage --rest-api-id <restApiId> --stage-name <stageName>Replace
<restApiId>and<stageName>with the ID and name of the API and stage you want to check. This command will return the details of the stage, including whether CloudWatch Logs are enabled. -
To automate the process, you can write a Python script using the boto3 library to iterate over all the APIs and stages and check if CloudWatch Logs are enabled. The script would use the
get_rest_apisandget_stagemethods of theboto3.client('apigateway')object to perform the same actions as the above CLI commands.
-
Install and configure AWS SDK for Python (Boto3): You need to install and configure AWS SDK for Python (Boto3) on your local system. This SDK allows Python developers to write software that makes use of services like Amazon S3, Amazon EC2, etc. You can install it using pip:
pip install boto3Then, configure your AWS credentials to enable Boto3 to communicate with AWS services. You can do this by creating the files ~/.aws/credentials and ~/.aws/config:
[default] aws_access_key_id = YOUR_ACCESS_KEY aws_secret_access_key = YOUR_SECRET_KEY[default] region=us-east-1 -
Use Boto3 to interact with AWS API Gateway: You can use Boto3 to interact with AWS API Gateway and retrieve information about your APIs. Here is a sample script that lists all your APIs:
import boto3 client = boto3.client('apigateway') response = client.get_rest_apis() for item in response['items']: print(item['name']) -
Check CloudWatch Logs for each API: For each API, you need to check if CloudWatch Logs are enabled. You can do this by retrieving the stage settings for each API and checking the ‘loggingLevel’ attribute. Here is a sample script that checks if CloudWatch Logs are enabled for all APIs:
import boto3 client = boto3.client('apigateway') response = client.get_rest_apis() for item in response['items']: stages = client.get_stages(restApiId=item['id']) for stage in stages['item']: if 'methodSettings' in stage: for settings in stage['methodSettings'].values(): if 'loggingLevel' not in settings or settings['loggingLevel'] != 'INFO': print(f"CloudWatch Logs are not enabled for API {item['name']} at stage {stage['stageName']}") -
Analyze the results: The script will print the names of the APIs and stages for which CloudWatch Logs are not enabled. You can use this information to identify the misconfigurations in your AWS API Gateway setup.