---
title: API Gateway with CloudWatch Logs disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > API Gateway with CloudWatch Logs disabled
---

# API Gateway with CloudWatch Logs disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-api-gateway-with-cloudwatch-logging-disabled` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudwatchlogs_log_group_module.html#ansible-collections-community-aws-cloudwatchlogs-log-group-module)

### Description{% #description %}

APIs must send request logs and execution traces to CloudWatch Logs so activity, errors, and suspicious behavior can be detected and investigated. Without a configured log group, you lose critical visibility for incident response and troubleshooting.

In Ansible, tasks using the `amazon.aws.cloudwatchlogs_log_group` or `cloudwatchlogs_log_group` modules must include the `log_group_name` property to create or reference a specific CloudWatch Logs group. Tasks missing `log_group_name` (or with it unset) are flagged. Set `log_group_name` to a stable, descriptive string and ensure API Gateway access logging or tracing is pointed to that group.

Secure configuration example:

```yaml
- name: Create CloudWatch log group for API Gateway
  amazon.aws.cloudwatchlogs_log_group:
    log_group_name: "/aws/apigateway/my-api"
    state: present
    retention_in_days: 30
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Setup AWS API Gateway setup on AWS cloudwatchlogs
  amazon.aws.cloudwatchlogs_log_group:
    state: present
    log_group_name: test-log-group
    tags: {Name: test-log-group, Env: QA}
    kms_key_id: arn:aws:kms:region:account-id:key/key-id
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Setup AWS API Gateway setup on AWS cloudwatchlogs
  amazon.aws.cloudwatchlogs_log_group:
    state: present
    kms_key_id: arn:aws:kms:region:account-id:key/key-id
```