API Gateway With CloudWatch Logging Disabled

• Query id: 982aa526-6970-4c59-8b9b-2ce7e019fe36
• Query name: API Gateway With CloudWatch Logging Disabled
• Platform: Terraform
• Severity: Medium
• Category: Observability
• CWE: 778
• Risk score: 5.1
• URL: Github

Description

AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

variable "stage_name" {
  default = "example"
  type    = string
}
variable "stage_names" {
  default = "examples"
  type    = string
}

resource "aws_api_gateway_rest_api" "example" {
  # ... other configuration ...
}

resource "aws_api_gateway_stage" "positive1" {
  depends_on = [aws_cloudwatch_log_group.example]

  stage_name = var.stage_name
  # ... other configuration ...
}

resource "aws_cloudwatch_log_group" "example" {
  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${var.stage_names}"
  retention_in_days = 7
  # ... potentially other configuration ...
}

Positive test num. 2 - tf file

resource "aws_api_gateway_rest_api" "apiLambda" {
    # ... other configuration ...
}

resource "aws_api_gateway_stage" "positive2" {
  depends_on         = [aws_api_gateway_deployment.api_http_method_deployment]
  stage_name         = "qa"
  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.wrong_sample_name.arn
    # ...
  }
}

resource "aws_cloudwatch_log_group" "sample_name" {
  name = "/aws/api-gateway/apigw-name-app"
  retention_in_days = 14
  # ... potentially other configuration ...
}

Positive test num. 3 - tf file

resource "aws_api_gateway_rest_api" "apiLambda" {
    # ... other configuration ...
}

resource "aws_api_gateway_stage" "positive3" {
  depends_on         = [aws_api_gateway_deployment.api_http_method_deployment]
  stage_name         = "qa"
  access_log_settings {
    destination_arn = null
    # ...
  }
}

resource "aws_cloudwatch_log_group" "sample_name" {
  name = "/aws/api-gateway/apigw-name-app"
  retention_in_days = 14
  # ... potentially other configuration ...
}

Positive test num. 4 - tf file

resource "aws_api_gateway_rest_api" "apiLambda" {
    # ... other configuration ...
}

resource "aws_api_gateway_stage" "positive4" {
  depends_on         = [aws_api_gateway_deployment.api_http_method_deployment]
  stage_name         = "qa"
}

resource "aws_cloudwatch_log_group" "sample_name" {
  name = "/aws/api-gateway/apigw-name-app"
  retention_in_days = 14
  # ... potentially other configuration ...
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

variable "stage_name" {
  default = "example"
  type    = string
}

resource "aws_api_gateway_rest_api" "example" {
  # ... other configuration ...
}

resource "aws_api_gateway_stage" "example" {
  depends_on = [aws_cloudwatch_log_group.example]

  stage_name = var.stage_name
  # ... other configuration ...
}

resource "aws_cloudwatch_log_group" "example" {
  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${var.stage_name}"
  retention_in_days = 7
  # ... potentially other configuration ...
}

Negative test num. 2 - tf file

module "env" {
  source = "./env"
}

resource "aws_api_gateway_rest_api" "example" {
  # ... other configuration ...
}

resource "aws_api_gateway_stage" "example" {
  depends_on = [aws_cloudwatch_log_group.example]

  stage_name = module.env.vars.stage_name
  # ... other configuration ...
}

resource "aws_cloudwatch_log_group" "example" {
  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${module.env.vars.stage_name}"
  retention_in_days = 7
  # ... potentially other configuration ...
}

Negative test num. 3 - tf file

resource "aws_api_gateway_rest_api" "apiLambda" {
    # ... other configuration ...
}

resource "aws_api_gateway_stage" "api_stage_environment" {
  depends_on         = [aws_api_gateway_deployment.api_http_method_deployment]
  stage_name         = "qa"
  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.sample_name.arn
    # ...
  }
}

resource "aws_cloudwatch_log_group" "sample_name" {
  name = "/aws/api-gateway/apigw-name-app"
  retention_in_days = 14
  # ... potentially other configuration ...
}

Negative test num. 4 - tf file

variable "stage_name" {
  default = "example"
  type    = string
}
variable "stage_names" {
  default = "examples"
  type    = string
}

resource "aws_api_gateway_rest_api" "example" {
  # ... other configuration ...
}

resource "aws_api_gateway_stage" "example" {
  depends_on = [aws_cloudwatch_log_group.example]

  stage_name = var.stage_name
  access_log_settings {
    destination_arn = null
    # ...
  }
  # ... other configuration ...
}

resource "aws_cloudwatch_log_group" "example" {
  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${var.stage_name}"
  retention_in_days = 7
  # ... potentially other configuration ...
}

Negative test num. 5 - tf file

module "env" {
  source = "./env"
}

resource "aws_api_gateway_rest_api" "example" {
  # ... other configuration ...
}

resource "aws_api_gateway_stage" "example" {
  depends_on = [aws_cloudwatch_log_group.example]

  stage_name = module.env.vars.stage_name
  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.sample_name.arn
    # ...
  }
  # ... other configuration ...
}

resource "aws_cloudwatch_log_group" "example" {
  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${module.env.vars.stage_name}"
  retention_in_days = 7
  # ... potentially other configuration ...
}

resource "aws_cloudwatch_log_group" "sample_name" {
  name = "/aws/api-gateway/apigw-name-app"
  retention_in_days = 14
  # ... potentially other configuration ...
}