logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Traceability Loss - API Gateway - Cloudformation

Need

Enhancement of traceability and logging capabilities in API Gateway

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS SDK for interacting with Amazon Web Services

Description

Insecure Code Example

Resources:
  MyRestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: my-rest-api
      Description: This is my API for demonstration purposes

  MyDeployment:
    Type: AWS::ApiGateway::Deployment
    Properties:
      RestApiId: !Ref MyRestApi
      StageName: prod

  MyStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: prod
      DeploymentId: !Ref MyDeployment
      RestApiId: !Ref MyRestApi

The following example defines an AWS API Gateway REST API using CloudFormation without enabling logging. The `AWS::ApiGateway::RestApi` resource creates the API, and the `AWS::ApiGateway::Stage` resource defines the "prod" stage. However, the `AccessLogSetting` property is not configured in the stage. This means that access logs will not be captured. Without logging, there is a loss of visibility into request and response data, making it more difficult to troubleshoot issues or detect abnormal behavior, which leads to traceability loss and is considered a security weakness.

Steps

  1. Enable the logging feature in the API Gateway stage using AccessLogSetting
  2. Define a CloudWatch Logs group to receive the logs
  3. Reference the log group ARN in the stage configuration
  4. Set a detailed access log format using $context variables

Secure Code Example

Resources:
  MyRestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: my-rest-api
      Description: This is my API for demonstration purposes

  MyLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "${MyRestApi}-access-logs"

  MyDeployment:
    Type: AWS::ApiGateway::Deployment
    Properties:
      RestApiId: !Ref MyRestApi
      StageName: prod

  MyStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: prod
      DeploymentId: !Ref MyDeployment
      RestApiId: !Ref MyRestApi
      AccessLogSetting:
        DestinationArn: !GetAtt MyLogGroup.Arn
        Format: |
          $context.identity.sourceIp - - [$context.requestTime]
          "$context.httpMethod $context.routeKey $context.protocol"
          $context.status $context.responseLength $context.requestId

This example corrects the vulnerability by enabling access logging in the API Gateway stage using the `AccessLogSetting` property. A `AWS::Logs::LogGroup` resource is created to store the logs, and the destination ARN is referenced in the stage. The log format is defined using `$context` variables to include relevant request and response metadata. Enabling logging ensures traceability and allows integration with monitoring tools like CloudWatch to detect anomalies and investigate issues.

References

  • 408 - Traceability Loss - API Gateway

    • Last updated

    2025/04/04