Sttor Documentation

Appearance

API Gateway stage does not have logging level defined appropriately

Description

It is generally a good practice to define the logging level for your API Gateway stages appropriately because it allows you to capture and review detailed information about the requests and responses handled by your API. This can be especially useful for debugging issues, analyzing the usage patterns of your API, and identifying potential performance bottlenecks. By default, the logging level for API Gateway stages is set to "OFF", which means that no logs are generated. You can choose to enable logging at the "ERROR" level, which will capture only log entries that correspond to error responses generated by your API. Alternatively, you can enable logging at the "INFO" level, which will capture log entries for both error responses and successful requests.

Code Example

go
resource "aws_api_gateway_rest_api" "ok_example" {
  body = jsonencode({
    openapi = "3.0.1"
    info = {
      title   = "ok_example"
      version = "1.0"
    }
    paths = {
      "/path1" = {
        get = {
          x-amazon-apigateway-integration = {
            httpMethod           = "GET"
            payloadFormatVersion = "1.0"
            type                 = "HTTP_PROXY"
            uri                  = "https://ip-ranges.amazonaws.com/ip-ranges.json"
          }
        }
      }
    }
  })

  name = "ok_example"
}

resource "aws_api_gateway_deployment" "ok_example" {
  rest_api_id = aws_api_gateway_rest_api.ok_example.id

  triggers = {
    redeployment = sha1(jsonencode(aws_api_gateway_rest_api.ok_example.body))
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_api_gateway_stage" "ok_example" {
  deployment_id = aws_api_gateway_deployment.ok_example.id
  rest_api_id   = aws_api_gateway_rest_api.ok_example.id
  stage_name    = "ok_example"
}

resource "aws_api_gateway_method_settings" "all" {
  rest_api_id = aws_api_gateway_rest_api.ok_example.id
  stage_name  = aws_api_gateway_stage.ok_example.stage_name
  method_path = "*/*"

  settings {
    metrics_enabled = true
    logging_level   = "ERROR"
  }
}

Remediation

Terraform

  • Resource: aws_api_gateway_rest_api, aws_api_gateway_deployment, aws_api_gateway_method_settings

Rule Details

FieldValue
IDIAC-0443
SeverityLOW
IaC TypeTerraform
FrameworksTerraform, TerraformPlan
Checkov IDCKV2_AWS_4

References

Copyright © 2026 Sttor