AWS API Gateway V2 has Access Logging is disabled
Description
Enabling access logging for API Gateway V2 (including both HTTP APIs and WebSocket APIs) is critical for monitoring and auditing API usage. Access logging provides detailed records of requests sent to your API, including requester IP, requested paths, response status, and latency. This information is invaluable for troubleshooting, understanding API usage patterns, and identifying potential security threats. This policy ensures that access logging is configured for API Gateway V2 stages, thereby enhancing the observability and security of your API infrastructure.
Code Example
Resources:
MyHttpApi:
Type: AWS::ApiGatewayV2::Stage
Properties:
ApiId: !Ref MyApi
StageName: 'prod'
AccessLogSettings:
+ DestinationArn: !GetAtt MyLogGroup.Arn
Format: '{"requestId":"$context.requestId", "ip":"$context.identity.sourceIp", "requestTime":"$context.requestTime", "httpMethod":"$context.httpMethod", "routeKey":"$context.routeKey", "status":"$context.status", "protocol":"$context.protocol", "responseLength":"$context.responseLength"}'
MyLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/apigateway/myhttpapi/logs
RetentionInDays: 365Remediation
CloudFormation
Resources: AWS::ApiGatewayV2::Stage, AWS::Serverless::HttpApi Logging Configuration: Ensure the AccessLogSettings property specifies a DestinationArn for storing access logs.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0148 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation |
| Checkov ID | CKV_AWS_95 |