Traceability Loss - API Gateway
Need
Enhancement of traceability and logging capabilities in API Gateway
Context
• Usage of CloudFormation for Infrastructure as Code (IaC)
• Usage of AWS SDK for interacting with Amazon Web Services
Description
1. Non compliant code
Resources:
MyRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: my-rest-api
Description: This is my API for demonstration purposes
Type: AWS::ApiGateway::Deployment...The following example defines an AWS API Gateway REST API using CloudFormation without enabling logging. The `AWS::ApiGateway::RestApi` resource creates the API, and the `AWS::ApiGateway::Stage` resource defines the "prod" stage. However, the `AccessLogSetting` property is not configured in the stage. This means that access logs will not be captured. Without logging, there is a loss of visibility into request and response data, making it more difficult to troubleshoot issues or detect abnormal behavior, which leads to traceability loss and is considered a security weakness.
2. Steps
• Enable the logging feature in the API Gateway stage using AccessLogSetting
• Define a CloudWatch Logs group to receive the logs
• Reference the log group ARN in the stage configuration
• Set a detailed access log format using $context variables
3. Secure code example
Resources:
MyRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: my-rest-api
Description: This is my API for demonstration purposes
Type: AWS::Logs::LogGroup...This example corrects the vulnerability by enabling access logging in the API Gateway stage using the `AccessLogSetting` property. A `AWS::Logs::LogGroup` resource is created to store the logs, and the destination ARN is referenced in the stage. The log format is defined using `$context` variables to include relevant request and response metadata. Enabling logging ensures traceability and allows integration with monitoring tools like CloudWatch to detect anomalies and investigate issues.
References
• 408. Traceability Loss - API Gateway