API Gateway Access Logging Disabled

  • Query id: 80d45af4-4920-4236-a56e-b7ef419d1941
  • Query name: API Gateway Access Logging Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

API Gateway Stage should have Access Logging Settings defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSetting: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      ClientCertificateId: ""
      Variables:
        Stack: Prod
      MethodSettings:
        - ResourcePath: /
          HttpMethod: GET
          MetricsEnabled: false
          DataTraceEnabled: false
        - ResourcePath: /stack
          HttpMethod: POST
          MetricsEnabled: false
          DataTraceEnabled: false
        - ResourcePath: /stack
          HttpMethod: GET
          MetricsEnabled: true
          DataTraceEnabled: false
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "Description": "Prod Stage",
        "AccessLogSettings": {
            "DestinationArn": "dest",
            "Format": "format"
        },
        "DeploymentId": "MyDeployment",
        "ApiId": "CFNWebSocket",
        "StageName": "Prod"
      }
    }
  }
}
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "AccessLogSettings": {
            "DestinationArn": "dest",
            "Format": "format"
        },
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "ApiId": {
          "Ref": "CFNWebSocket"
        },
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "OFF",
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        }
      }
    }
  }
}

Positive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "AccessLogSettings": {
            "DestinationArn": "dest",
            "Format": "format"
        },
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "ApiId": {
          "Ref": "CFNWebSocket"
        },
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        }
      }
    }
  }
}
Positive test num. 5 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "ApiId": {
          "Ref": "CFNWebSocket"
        },
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "INFO",
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        }
      }
    }
  }
}
Positive test num. 6 - json file
{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MyStage": {
            "Type": "AWS::ApiGateway::Stage",
            "Properties": {
                "StageName": "Prod",
                "Description": "Prod Stage",
                "DeploymentId": {
                    "Ref": "MyDeployment"
                },
                "MethodSettings": {
                  "DetailedMetricsEnabled": true,
                  "LoggingLevel": "INFO",
                  "DataTraceEnabled": false,
                  "ThrottlingBurstLimit": 10,
                  "ThrottlingRateLimit": 10
                },
                "RestApiId": {
                    "Ref": "CFNWebSocket"
                }
            }
        }
    }
}
Positive test num. 7 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGateway::Stage",
      "Properties": {
        "Description": "Prod Stage",
        "AccessLogSetting": {
            "DestinationArn": "dest",
            "Format": "format"
        },
        "DeploymentId": "MyDeployment",
        "RestApiId": "CFNWebSocket",
        "StageName": "Prod"
      }
    }
  }
}
Positive test num. 8 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSetting: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
Positive test num. 9 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSettings: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      ApiId: "teste"
Positive test num. 10 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGateway::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "AccessLogSetting": {
            "DestinationArn": "dest",
            "Format": "format"
        },
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "RestApiId": {
          "Ref": "CFNWebSocket"
        },
        "MethodSettings": {
        }
      }
    }
  }
}
Positive test num. 11 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSetting: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      MethodSettings:
Positive test num. 12 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGateway::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "AccessLogSetting": {
            "DestinationArn": "dest",
            "Format": "format"
        },
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "RestApiId": {
          "Ref": "CFNWebSocket"
        },
        "MethodSettings": {
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "OFF",
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        }
      }
    }
  }
}
Positive test num. 13 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSettings: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      ApiId: "teste"
      DefaultRouteSettings:
Positive test num. 14 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSetting: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      MethodSettings:
        LoggingLevel: "OFF"
Positive test num. 15 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSettings: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      ApiId: "teste"
      DefaultRouteSettings:
        LoggingLevel: "OFF"
Positive test num. 16 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      MethodSettings:
        LoggingLevel: "ON"
Positive test num. 17 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      ApiId: "teste"
      DefaultRouteSettings:
        LoggingLevel: "ON"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  MyStage:
    Type: 'AWS::ApiGatewayV2::Stage'
    Properties:
      StageName: Prod
      Description: Prod Stage
      DeploymentId: !Ref MyDeployment
      ApiId: !Ref CFNWebSocket
      DefaultRouteSettings:
        DetailedMetricsEnabled: true
        LoggingLevel: INFO
        DataTraceEnabled: false
        ThrottlingBurstLimit: 10
        ThrottlingRateLimit: 10
      AccessLogSettings:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
        Format: >-
          {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
          "caller":"$context.identity.caller",
          "user":"$context.identity.user","requestTime":"$context.requestTime",
          "eventType":"$context.eventType","routeKey":"$context.routeKey",
          "status":"$context.status","connectionId":"$context.connectionId"}
Negative test num. 2 - json file
{
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "DeploymentId": "MyDeployment",
        "ApiId": "CFNWebSocket",
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "INFO",
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        },
        "AccessLogSettings": {
          "DestinationArn": "arn:aws:logs:us-east-1:123456789:log-group:my-log-group",
          "Format": "{\"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\",\"requestTime\":\"$context.requestTime\", \"eventType\":\"$context.eventType\",\"routeKey\":\"$context.routeKey\", \"status\":\"$context.status\",\"connectionId\":\"$context.connectionId\"}"
        }
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53"
}
Negative test num. 3 - json file
{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MyStage": {
            "Type": "AWS::ApiGateway::Stage",
            "Properties": {
                "StageName": "Prod",
                "Description": "Prod Stage",
                "AccessLogSetting": {
                    "DestinationArn": "dest",
                    "Format": "format"
                },
                "DeploymentId": {
                    "Ref": "MyDeployment"
                },
                "MethodSettings": {
                  "DetailedMetricsEnabled": true,
                  "LoggingLevel": "INFO",
                  "DataTraceEnabled": false,
                  "ThrottlingBurstLimit": 10,
                  "ThrottlingRateLimit": 10
                },
                "RestApiId": {
                    "Ref": "CFNWebSocket"
                }
            }
        }
    }
}

Negative test num. 4 - yaml file
Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      MethodSettings:
        LoggingLevel: "ON"
      AccessLogSetting:
        DestinationArn: "dest"
        Format: "format"