Control: 1 API Gateway REST and WebSocket API logging should be enabled
Description
This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO.
API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages. The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.
Remediation
To enable logging for REST and WebSocket API operations, see Set up CloudWatch API logging using the API Gateway console.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_apigateway_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_apigateway_1 --shareSQL
This control uses a named query:
with all_stages as ( select name as stage_name, 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as arn, method_settings -> '*/*' ->> 'LoggingLevel' as log_level, title, region, account_id, tags, _ctx from aws_api_gateway_stage union select stage_name, 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as arn, default_route_logging_level as log_level, title, region, account_id, tags, _ctx from aws_api_gatewayv2_stage)select arn as resource, case when log_level is null or log_level = '' or log_level = 'OFF' then 'alarm' else 'ok' end as status, case when log_level is null or log_level = '' or log_level = 'OFF' then title || ' logging not enabled.' else title || ' logging enabled.' end as reason , region, account_idfrom all_stages;