turbot/aws_compliance

Control: 1 API Gateway REST and WebSocket API logging should be enabled

Description

This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO.

API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages. The stages include API integration backend responses, Lambda authorizer responses, and the requestId for AWS integration endpoints.

Remediation

To enable logging for REST and WebSocket API operations, see Set up CloudWatch API logging using the API Gateway console.

Usage

steampipe check aws_compliance.control.foundational_security_apigateway_1

SQL

This control uses a named query:

apigateway_stage_logging_enabled

Tags