API Gateway with CloudWatch Logs disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > API Gateway with CloudWatch Logs disabled

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

Id: 72a931c2-12f5-40d1-93cc-47bff2f7aa2a

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

APIs must send request logs and execution traces to CloudWatch Logs so activity, errors, and suspicious behavior can be detected and investigated. Without a configured log group, you lose critical visibility for incident response and troubleshooting.

In Ansible, tasks using the amazon.aws.cloudwatchlogs_log_group or cloudwatchlogs_log_group modules must include the log_group_name property to create or reference a specific CloudWatch Logs group. Tasks missing log_group_name (or with it unset) are flagged. Set log_group_name to a stable, descriptive string and ensure API Gateway access logging or tracing is pointed to that group.

Secure configuration example:

- name: Create CloudWatch log group for API Gateway
  amazon.aws.cloudwatchlogs_log_group:
    log_group_name: "/aws/apigateway/my-api"
    state: present
    retention_in_days: 30

Compliant Code Examples

- name: Setup AWS API Gateway setup on AWS cloudwatchlogs
  amazon.aws.cloudwatchlogs_log_group:
    state: present
    log_group_name: test-log-group
    tags: {Name: test-log-group, Env: QA}
    kms_key_id: arn:aws:kms:region:account-id:key/key-id

Non-Compliant Code Examples

---
- name: Setup AWS API Gateway setup on AWS cloudwatchlogs
  amazon.aws.cloudwatchlogs_log_group:
    state: present
    kms_key_id: arn:aws:kms:region:account-id:key/key-id