turbot/aws_compliance

Query: apigateway_stage_logging_enabled

Usage

powerpipe query aws_compliance.query.apigateway_stage_logging_enabled

SQL

with all_stages as (
select
name as stage_name,
'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as arn,
method_settings -> '*/*' ->> 'LoggingLevel' as log_level,
title,
region,
account_id,
tags,
_ctx
from
aws_api_gateway_stage
union
select
stage_name,
'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as arn,
default_route_logging_level as log_level,
title,
region,
account_id,
tags,
_ctx
from
aws_api_gatewayv2_stage
)
select
arn as resource,
case
when log_level is null
or log_level = ''
or log_level = 'OFF' then 'alarm'
else 'ok'
end as status,
case
when log_level is null
or log_level = ''
or log_level = 'OFF' then title || ' logging not enabled.'
else title || ' logging enabled.'
end as reason,
region,
account_id
from
all_stages;

Controls

The query is being used by the following controls: