API Gateway Stage Access Logging Settings Not Defined

  • Query id: 80d45af4-4920-4236-a56e-b7ef419d1941
  • Query name: API Gateway Stage Access Logging Settings Not Defined
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

API Gateway Stage should have Access Logging Settings defined
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      ClientCertificateId: ""
      Variables:
        Stack: Prod
      MethodSettings:
        - ResourcePath: /
          HttpMethod: GET
          MetricsEnabled: false
          DataTraceEnabled: false
        - ResourcePath: /stack
          HttpMethod: POST
          MetricsEnabled: false
          DataTraceEnabled: false
        - ResourcePath: /stack
          HttpMethod: GET
          MetricsEnabled: true
          DataTraceEnabled: false
Postitive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "Description": "Prod Stage",
        "DeploymentId": "MyDeployment",
        "ApiId": "CFNWebSocket",
        "StageName": "Prod"
      }
    }
  }
}
Postitive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "ApiId": {
          "Ref": "CFNWebSocket"
        },
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "OFF",
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        }
      }
    }
  }
}

Postitive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "ApiId": {
          "Ref": "CFNWebSocket"
        },
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  MyStage:
    Type: 'AWS::ApiGatewayV2::Stage'
    Properties:
      StageName: Prod
      Description: Prod Stage
      DeploymentId: !Ref MyDeployment
      ApiId: !Ref CFNWebSocket
      DefaultRouteSettings:
        DetailedMetricsEnabled: true
        LoggingLevel: INFO
        DataTraceEnabled: false
        ThrottlingBurstLimit: 10
        ThrottlingRateLimit: 10
      AccessLogSettings:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
        Format: >-
          {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
          "caller":"$context.identity.caller",
          "user":"$context.identity.user","requestTime":"$context.requestTime",
          "eventType":"$context.eventType","routeKey":"$context.routeKey",
          "status":"$context.status","connectionId":"$context.connectionId"}
Negative test num. 2 - json file
{
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "DeploymentId": "MyDeployment",
        "ApiId": "CFNWebSocket",
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "INFO",
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        },
        "AccessLogSettings": {
          "DestinationArn": "arn:aws:logs:us-east-1:123456789:log-group:my-log-group",
          "Format": "{\"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\",\"requestTime\":\"$context.requestTime\", \"eventType\":\"$context.eventType\",\"routeKey\":\"$context.routeKey\", \"status\":\"$context.status\",\"connectionId\":\"$context.connectionId\"}"
        }
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53"
}
Negative test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "Description": "Prod Stage",
        "DeploymentId": "MyDeployment",
        "ApiId": "CFNWebSocket",
        "DefaultRouteSettings": {
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10,
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "INFO",
          "DataTraceEnabled": false
        },
        "StageName": "Prod"
      }
    }
  }
}

Negative test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "ApiId": {
          "Ref": "CFNWebSocket"
        },
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "INFO",
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        }
      }
    }
  }
}