Sttor Documentation

Appearance

API Gateway does not have access logging enabled

Description

Enabling the custom access logging option in API Gateway allows delivery of custom logs to CloudWatch Logs, which can be analyzed using CloudWatch Logs Insights. Using custom domain names in Amazon API Gateway allows insights into requests sent to each custom domain name. If there is more than one custom domain name mapped to a single API, understanding the quantity and type of requests by domain name may help understand request patterns.

Code Example

go
resource "aws_api_gateway_stage" "test" {
  ...
  stage_name    = "prod"
+ access_log_settings {
+   destination_arn = "${aws_cloudwatch_log_group.example.arn}"
+   format          = "..."  
+  }
  ...
}

Remediation

  • AWS Console*

Procedure:

. Log in to the AWS Management Console at [https://console.aws.amazon.com/].

. Open the https://console.aws.amazon.com/apigateway/ [Amazon API Gateway console].

. Find the Stage Editor for your API.

. On the * Stage Editor* pane, choose the * Logs/Tracing* tab.

. On the Logs/Tracing tab, under CloudWatch Settings, do the following to enable execution logging.

. Select the * Enable CloudWatch Logs* check box.

. For Log level, choose * INFO **to generate execution logs for all requests. + Or, choose * ERROR **to generate execution logs only for requests to your API that result in an error.

. Select the Log full requests/responses data check box for a REST API. + Or, select the Log full message data check box for a WebSocket API.

. Under * Custom Access Logging*, select the Enable Access Logging check box.

. For * Access Log Destination ARN*, enter the ARN of a CloudWatch log group or an Amazon Kinesis Data Firehose stream.

. Enter a Log Format. + For guidance, you can choose CLF, JSON, XML, or CSV to see an example in that format.

. Click * Save Changes*. === Fix - Buildtime

Terraform

  • Resource: aws_api_gateway_stage
  • Arguments: access_log_settings - (Optional) Enables access logs for the API stage.

Rule Details

FieldValue
IDIAC-0129
SeverityLOW
IaC TypeCloudformation
FrameworksCloudFormation, Terraform, TerraformPlan, Serverless
Checkov IDCKV_AWS_76

References

Copyright © 2026 Sttor