API Gateway With CloudWatch Logging Disabled
- Query id: 982aa526-6970-4c59-8b9b-2ce7e019fe36
- Query name: API Gateway With CloudWatch Logging Disabled
- Platform: Terraform
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
variable "stage_name" {
default = "example"
type = string
}
variable "stage_names" {
default = "examples"
type = string
}
resource "aws_api_gateway_rest_api" "example" {
# ... other configuration ...
}
resource "aws_api_gateway_stage" "example" {
depends_on = [aws_cloudwatch_log_group.example]
stage_name = var.stage_name
# ... other configuration ...
}
resource "aws_cloudwatch_log_group" "example" {
name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${var.stage_names}"
retention_in_days = 7
# ... potentially other configuration ...
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
variable "stage_name" {
default = "example"
type = string
}
resource "aws_api_gateway_rest_api" "example" {
# ... other configuration ...
}
resource "aws_api_gateway_stage" "example" {
depends_on = [aws_cloudwatch_log_group.example]
stage_name = var.stage_name
# ... other configuration ...
}
resource "aws_cloudwatch_log_group" "example" {
name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${var.stage_name}"
retention_in_days = 7
# ... potentially other configuration ...
}