API Gateway Access Logging Disabled
- Query id: 80d45af4-4920-4236-a56e-b7ef419d1941
- Query name: API Gateway Access Logging Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
API Gateway Stage should have Access Logging Settings defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
Prod:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
AccessLogSetting:
DestinationArn: "dest"
Format: "format"
RestApiId: !Ref MyRestApi
DeploymentId: !Ref TestDeployment
DocumentationVersion: ""
ClientCertificateId: ""
Variables:
Stack: Prod
MethodSettings:
- ResourcePath: /
HttpMethod: GET
MetricsEnabled: false
DataTraceEnabled: false
- ResourcePath: /stack
HttpMethod: POST
MetricsEnabled: false
DataTraceEnabled: false
- ResourcePath: /stack
HttpMethod: GET
MetricsEnabled: true
DataTraceEnabled: false
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"Description": "Prod Stage",
"AccessLogSettings": {
"DestinationArn": "dest",
"Format": "format"
},
"DeploymentId": "MyDeployment",
"ApiId": "CFNWebSocket",
"StageName": "Prod"
}
}
}
}
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"AccessLogSettings": {
"DestinationArn": "dest",
"Format": "format"
},
"DeploymentId": {
"Ref": "MyDeployment"
},
"ApiId": {
"Ref": "CFNWebSocket"
},
"DefaultRouteSettings": {
"DetailedMetricsEnabled": true,
"LoggingLevel": "OFF",
"DataTraceEnabled": false,
"ThrottlingBurstLimit": 10,
"ThrottlingRateLimit": 10
}
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"AccessLogSettings": {
"DestinationArn": "dest",
"Format": "format"
},
"DeploymentId": {
"Ref": "MyDeployment"
},
"ApiId": {
"Ref": "CFNWebSocket"
},
"DefaultRouteSettings": {
"DetailedMetricsEnabled": true,
"DataTraceEnabled": false,
"ThrottlingBurstLimit": 10,
"ThrottlingRateLimit": 10
}
}
}
}
}
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"DeploymentId": {
"Ref": "MyDeployment"
},
"ApiId": {
"Ref": "CFNWebSocket"
},
"DefaultRouteSettings": {
"DetailedMetricsEnabled": true,
"LoggingLevel": "INFO",
"DataTraceEnabled": false,
"ThrottlingBurstLimit": 10,
"ThrottlingRateLimit": 10
}
}
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"DeploymentId": {
"Ref": "MyDeployment"
},
"MethodSettings": {
"DetailedMetricsEnabled": true,
"LoggingLevel": "INFO",
"DataTraceEnabled": false,
"ThrottlingBurstLimit": 10,
"ThrottlingRateLimit": 10
},
"RestApiId": {
"Ref": "CFNWebSocket"
}
}
}
}
}
Positive test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"Description": "Prod Stage",
"AccessLogSetting": {
"DestinationArn": "dest",
"Format": "format"
},
"DeploymentId": "MyDeployment",
"RestApiId": "CFNWebSocket",
"StageName": "Prod"
}
}
}
}
Positive test num. 8 - yaml file
Positive test num. 9 - yaml file
Positive test num. 10 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"AccessLogSetting": {
"DestinationArn": "dest",
"Format": "format"
},
"DeploymentId": {
"Ref": "MyDeployment"
},
"RestApiId": {
"Ref": "CFNWebSocket"
},
"MethodSettings": {
}
}
}
}
}
Positive test num. 11 - yaml file
Positive test num. 12 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"AccessLogSetting": {
"DestinationArn": "dest",
"Format": "format"
},
"DeploymentId": {
"Ref": "MyDeployment"
},
"RestApiId": {
"Ref": "CFNWebSocket"
},
"MethodSettings": {
"DetailedMetricsEnabled": true,
"LoggingLevel": "OFF",
"DataTraceEnabled": false,
"ThrottlingBurstLimit": 10,
"ThrottlingRateLimit": 10
}
}
}
}
}
Positive test num. 13 - yaml file
Positive test num. 14 - yaml file
Positive test num. 15 - yaml file
Resources:
Prod:
Type: AWS::ApiGatewayV2::Stage
Properties:
StageName: Prod
Description: Prod Stage
AccessLogSettings:
DestinationArn: "dest"
Format: "format"
RestApiId: !Ref MyRestApi
DeploymentId: !Ref TestDeployment
DocumentationVersion: ""
ApiId: "teste"
DefaultRouteSettings:
LoggingLevel: "OFF"
Positive test num. 16 - yaml file
Positive test num. 17 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
MyStage:
Type: 'AWS::ApiGatewayV2::Stage'
Properties:
StageName: Prod
Description: Prod Stage
DeploymentId: !Ref MyDeployment
ApiId: !Ref CFNWebSocket
DefaultRouteSettings:
DetailedMetricsEnabled: true
LoggingLevel: INFO
DataTraceEnabled: false
ThrottlingBurstLimit: 10
ThrottlingRateLimit: 10
AccessLogSettings:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
Format: >-
{"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}
Negative test num. 2 - json file
{
"Resources": {
"MyStage": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"DeploymentId": "MyDeployment",
"ApiId": "CFNWebSocket",
"DefaultRouteSettings": {
"DetailedMetricsEnabled": true,
"LoggingLevel": "INFO",
"DataTraceEnabled": false,
"ThrottlingBurstLimit": 10,
"ThrottlingRateLimit": 10
},
"AccessLogSettings": {
"DestinationArn": "arn:aws:logs:us-east-1:123456789:log-group:my-log-group",
"Format": "{\"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\",\"requestTime\":\"$context.requestTime\", \"eventType\":\"$context.eventType\",\"routeKey\":\"$context.routeKey\", \"status\":\"$context.status\",\"connectionId\":\"$context.connectionId\"}"
}
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53"
}
Negative test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"StageName": "Prod",
"Description": "Prod Stage",
"AccessLogSetting": {
"DestinationArn": "dest",
"Format": "format"
},
"DeploymentId": {
"Ref": "MyDeployment"
},
"MethodSettings": {
"DetailedMetricsEnabled": true,
"LoggingLevel": "INFO",
"DataTraceEnabled": false,
"ThrottlingBurstLimit": 10,
"ThrottlingRateLimit": 10
},
"RestApiId": {
"Ref": "CFNWebSocket"
}
}
}
}
}