For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/api_gateway_with_cloudwatch_logging_disabled.md. A documentation index is available at /llms.txt.

API Gateway with CloudWatch Logs disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: 72a931c2-12f5-40d1-93cc-47bff2f7aa2a

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

APIs must send request logs and execution traces to CloudWatch Logs so activity, errors, and suspicious behavior can be detected and investigated. Without a configured log group, you lose critical visibility for incident response and troubleshooting.

In Ansible, tasks using the amazon.aws.cloudwatchlogs_log_group or cloudwatchlogs_log_group modules must include the log_group_name property to create or reference a specific CloudWatch Logs group. Tasks missing log_group_name (or with it unset) are flagged. Set log_group_name to a stable, descriptive string and ensure API Gateway access logging or tracing is pointed to that group.

Secure configuration example:

- name: Create CloudWatch log group for API Gateway
  amazon.aws.cloudwatchlogs_log_group:
    log_group_name: "/aws/apigateway/my-api"
    state: present
    retention_in_days: 30

Compliant Code Examples

- name: Setup AWS API Gateway setup on AWS cloudwatchlogs
  amazon.aws.cloudwatchlogs_log_group:
    state: present
    log_group_name: test-log-group
    tags: {Name: test-log-group, Env: QA}
    kms_key_id: arn:aws:kms:region:account-id:key/key-id

Non-Compliant Code Examples

---
- name: Setup AWS API Gateway setup on AWS cloudwatchlogs
  amazon.aws.cloudwatchlogs_log_group:
    state: present
    kms_key_id: arn:aws:kms:region:account-id:key/key-id