Control: API Gateway stage logging should be enabled

Description

API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.apigateway_stage_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.apigateway_stage_logging_enabled --share

SQL

This control uses a named query:

with all_stages as (
  select
    name as stage_name,
    'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as arn,
    method_settings -> '*/*' ->> 'LoggingLevel' as log_level,
    title,
    region,
    account_id,
    tags,
    _ctx
  from
    aws_api_gateway_stage
  union
  select
    stage_name,
    'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as arn,
    default_route_logging_level as log_level,
    title,
    region,
    account_id,
    tags,
    _ctx
  from
    aws_api_gatewayv2_stage
)
select
  arn as resource,
  case
    when log_level is null or log_level = '' or log_level = 'OFF' then 'alarm'
    else 'ok'
  end as status,
  case
    when log_level is null or log_level = '' or log_level = 'OFF' then title || ' logging not enabled.'
    else title || ' logging enabled.'
  end as reason
  
  , region, account_id
from
  all_stages;

Control: API Gateway stage logging should be enabled

Description

Usage

SQL

Tags