For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-api-gateway-access-logging-disabled.md. A documentation index is available at /llms.txt.

API Gateway V2 stage access logging settings not defined

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-api-gateway-access-logging-disabled

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Observability

Learn More

Description

API Gateway stages must have access logging and route-level/method-level request logging enabled so request activity is recorded for auditing, troubleshooting, and detecting abuse or suspicious behavior.

For HTTP APIs (AWS::ApiGatewayV2::Stage), AccessLogSettings must be defined and DefaultRouteSettings.LoggingLevel must be present and not set to OFF (use values like INFO or ERROR).

For REST APIs (AWS::ApiGateway::Stage), AccessLogSetting must be defined and each relevant entry in MethodSettings must include a LoggingLevel that is not OFF.

Resources missing these properties or with LoggingLevel set to OFF will be flagged.

Secure configuration examples:

MyHttpApiStage:
  Type: AWS::ApiGatewayV2::Stage
  Properties:
    StageName: prod
    AccessLogSettings:
      DestinationArn: arn:aws:logs:us-east-1:123456789012:log-group:/aws/apigateway/http-api
      Format: '$context.identity.sourceIp - $context.requestId - $context.requestTime'
    DefaultRouteSettings:
      LoggingLevel: INFO

MyRestApiStage:
  Type: AWS::ApiGateway::Stage
  Properties:
    StageName: prod
    AccessLogSetting:
      DestinationArn: arn:aws:logs:us-east-1:123456789012:log-group:/aws/apigateway/rest-api
      Format: '$context.identity.sourceIp - $context.requestId - $context.requestTime'
    MethodSettings:
      - ResourcePath: "/*"
        HttpMethod: "*"
        LoggingLevel: INFO

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  MyStage:
    Type: 'AWS::ApiGatewayV2::Stage'
    Properties:
      StageName: Prod
      Description: Prod Stage
      DeploymentId: !Ref MyDeployment
      ApiId: !Ref CFNWebSocket
      DefaultRouteSettings:
        DetailedMetricsEnabled: true
        LoggingLevel: INFO
        DataTraceEnabled: false
        ThrottlingBurstLimit: 10
        ThrottlingRateLimit: 10
      AccessLogSettings:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
        Format: >-
          {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
          "caller":"$context.identity.caller",
          "user":"$context.identity.user","requestTime":"$context.requestTime",
          "eventType":"$context.eventType","routeKey":"$context.routeKey",
          "status":"$context.status","connectionId":"$context.connectionId"}

{
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGatewayV2::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "DeploymentId": "MyDeployment",
        "ApiId": "CFNWebSocket",
        "DefaultRouteSettings": {
          "DetailedMetricsEnabled": true,
          "LoggingLevel": "INFO",
          "DataTraceEnabled": false,
          "ThrottlingBurstLimit": 10,
          "ThrottlingRateLimit": 10
        },
        "AccessLogSettings": {
          "DestinationArn": "arn:aws:logs:us-east-1:123456789:log-group:my-log-group",
          "Format": "{\"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\",\"requestTime\":\"$context.requestTime\", \"eventType\":\"$context.eventType\",\"routeKey\":\"$context.routeKey\", \"status\":\"$context.status\",\"connectionId\":\"$context.connectionId\"}"
        }
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53"
}

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "MyStage": {
            "Type": "AWS::ApiGateway::Stage",
            "Properties": {
                "StageName": "Prod",
                "Description": "Prod Stage",
                "AccessLogSetting": {
                    "DestinationArn": "dest",
                    "Format": "format"
                },
                "DeploymentId": {
                    "Ref": "MyDeployment"
                },
                "MethodSettings": {
                  "DetailedMetricsEnabled": true,
                  "LoggingLevel": "INFO",
                  "DataTraceEnabled": false,
                  "ThrottlingBurstLimit": 10,
                  "ThrottlingRateLimit": 10
                },
                "RestApiId": {
                    "Ref": "CFNWebSocket"
                }
            }
        }
    }
}

Non-Compliant Code Examples

Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSetting: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      ClientCertificateId: ""
      Variables:
        Stack: Prod
      MethodSettings:
        - ResourcePath: /
          HttpMethod: GET
          MetricsEnabled: false
          DataTraceEnabled: false
        - ResourcePath: /stack
          HttpMethod: POST
          MetricsEnabled: false
          DataTraceEnabled: false
        - ResourcePath: /stack
          HttpMethod: GET
          MetricsEnabled: true
          DataTraceEnabled: false

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyStage": {
      "Type": "AWS::ApiGateway::Stage",
      "Properties": {
        "StageName": "Prod",
        "Description": "Prod Stage",
        "AccessLogSetting": {
            "DestinationArn": "dest",
            "Format": "format"
        },
        "DeploymentId": {
          "Ref": "MyDeployment"
        },
        "RestApiId": {
          "Ref": "CFNWebSocket"
        },
        "MethodSettings": {
        }
      }
    }
  }
}

Resources:
  Prod:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: Prod
      Description: Prod Stage
      AccessLogSetting: 
        DestinationArn: "dest"
        Format: "format"
      RestApiId: !Ref MyRestApi
      DeploymentId: !Ref TestDeployment
      DocumentationVersion: ""
      MethodSettings: