API Gateway With CloudWatch Logging Disabled

  • Query id: 72a931c2-12f5-40d1-93cc-47bff2f7aa2a
  • Query name: API Gateway With CloudWatch Logging Disabled
  • Platform: Ansible
  • Severity: Medium
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

AWS CloudWatch Logs for APIs is not enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: Setup AWS API Gateway setup on AWS cloudwatchlogs
  community.aws.cloudwatchlogs_log_group:
    state: present
    kms_key_id: arn:aws:kms:region:account-id:key/key-id

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Setup AWS API Gateway setup on AWS cloudwatchlogs
  community.aws.cloudwatchlogs_log_group:
    state: present
    log_group_name: test-log-group
    tags: {Name: test-log-group, Env: QA}
    kms_key_id: arn:aws:kms:region:account-id:key/key-id