Access logging not configured for API Gateway V2 stages

firetail:aws-api-gateway-stage-access-logging-off

Type:

CSPM

Rule Severity:

Low

The API Gateway V2 stage is not configured for access logging.

Access logs capture important details about incoming requests and outgoing responses, such as request patterns, source IP addresses, request headers, and status codes. Without access logging, the following risks are posed:

  • Lack of Visibility: API usage patterns, errors, and performance metrics cannot be tracked, making it difficult to understand the health of the API or identify potential issues.
  • Troubleshooting Challenges: If there is an issue with the API, such as a failure to process requests, the lack of logs means that you won't have enough data to diagnose the root cause.
  • Security Risks: Without logs, malicious activity such as unauthorized access attempts or abuse of API endpoints can go unnoticed, increasing the risk of breaches or misuse.

Remediation

Set up access logging with CloudWatch API logging using the API Gateway console.

Example Attack Scenario

An attacker attempts a brute-force attack against an API endpoint by making multiple unauthorized requests to guess valid API keys or credentials. Without access logging, there's no record of these suspicious request patterns, making it harder to detect and mitigate the attack. If access logging were enabled, the attack would be visible in the logs, enabling the security team to detect the unusual number of failed requests from a particular IP address and block the source before the attack escalates.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
JSON deserialization error
API key in URL
Circular references
Plaintext digest authentication
Missing additional properties
GraphQL injection found in logs